Data Processing Agreement

This document was last updated: January 1, 2024

1.  Introduction and Application

1.1. This Data Processing Addendum and its Exhibits (the “DPA”) govern the use and protection of Customer Personal Data by Demodia while providing Services to a Customer in terms of a Principal Agreement.

1.2. The DPA is integral to the Services and forms part of any Principal Agreement concluded between Demodia and the Customer. 

2.  Definitions and Interpretation

2.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. For purposes of this definition.

2.2. “Control,” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

2.3. "Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Customer Personal Data.

2.4. “Customer” means the entity procuring the Services from Demodia in terms of the Principal Agreement.

2.5. “Customer Personal Data” means any Personal Data pertaining to the Customer’s Data Subjects, which is Processed by Demodia in terms of the Principal Agreement.

2.6. “Data Protection Law” means all laws and regulations applicable to the Processing of Customer Personal Data under the Principal Agreement, including but not limited to the GDPR, the Swiss FDAP.

2.7. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time.

2.8. "Demodia” means the Demodia entity providing the Services to the Customer in terms of the Principal Agreement.

2.9. “Instruction” means the written, documented instruction, issued by the Customer as Controller or Processor to Demodia as the Processor or Sub-processor, directing Demodia to perform a specific Processing action with regard to Customer Personal Data.

2.10. "Parties” means Demodia and the Customer, and “Party” shall be a reference to either Demodia or the Customer, as the context may require.

2.11. “Principal Agreement” means the written or electronic agreement between Demodia and the Customer for the provision of the Services.

2.12. “Processor” means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of a Controller.

2.13. “Services” means the services specified in the Principal Agreement, which may include, HubSpot marketing, business, sales and services consulting, sales and services onboarding, web development and technical integration, SEO and paid media services.

2.14. “Sensitive Information” means credit or debit card numbers and biometric information.

2.15. “Special Category Data” means Personal Data that will be within the definition of “special categories of data” under the UK GDPR, excluding Sensitive Information as defined in this DPA.

2.16. The terms “Data Subject”, “Personal Data Breach”, “Processing” (or any cognate terms), and “Supervisory Authority” shall all have the same meaning as in the GDPR or the corresponding terms as provided for other Data Protection Law.

2.17. Capitalised terms which are not defined herein have the meaning ascribed to them in the Principal Agreement.

2.18. In case of any conflict or inconsistency with the terms of the Principal Agreement, this DPA will take precedence. 

3.  Processing of Customer Personal Data

3.1  In the course of providing Services under the Principal Agreement, Demodia may Process certain Customer Personal Data on behalf of the Customer. Demodia and the Customer agree to comply with this DPA in connection with the Processing of such Customer Personal Data.

3.2  The subject matter and duration of the Processing, nature and purpose of the Processing and types of Customer Personal Data are set out in the Principal Agreement and/or in Exhibit 1 to this DPA.

4. Controllership Roles

4.1. In the context of this DPA, when Customer acts as a Controller, Demodia acts as a Processor, and when Customer acts as a Processor, Demodia acts as a sub-Processor. For the avoidance of doubt, both situations fall within the scope of this DPA.

5.  Customer Responsibility and Undertakings

5.1. When acting as Controller within the scope of the Principal Agreement:

5.1.1.  the Customer assumes absolute responsibility for the Instructions given to Demodia where applicable, and warrants to Demodia that it will always comply with its statutory obligations in terms of Data Protection Law, including, without limitation, law regarding the disclosure and transfer of Customer Personal Data to Demodia and the Processing of Customer Personal Data;

5.1.2  the Customer will ensure that any Customer Personal Data provided to Demodia by, or on behalf of the Customer has been collected lawfully, fairly and in a transparent manner to enable such Customer Personal Data to be processed by Demodia for all of the Purposes;

5.1.3. the Customer unconditionally acknowledges and accepts the legal duties imposed on it as a Controller in terms of Data Protection Law and indemnifies Demodia for any loss or harm (whether direct or consequential) which may arise as a result of its failure to comply with its obligations as Controller; and

5.1.4. the Customer will ensure that the persons giving instructions to Demodia and making decisions in relation with this DPA are authorized by the Customer and that such instructions are binding upon the Customer. Demodia shall be entitled to rely on such instructions and decisions.

5.2  If the Customer is a Processor with respect to the Customer Personal Data, the Customer warrants that its Instructions and actions with respect to Processing of the Customer Personal Data, including its appointment of Demodia as a sub-Processor have been authorised by the relevant Controller.

5.3. Customer’s Instructions for the Processing of Customer Personal Data shall comply with Data Protection Law and the Customer indemnifies Demodia to the greatest extent permissible in law for any direct loss occasioned by Demodia acting as Processor on behalf of and/or on the Instructions of the Controller with respect to the Processing of Customer Personal Data pursuant to the Principal Agreement.

5.4. As between the Parties, the Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which the Customer acquired such Customer Personal Data.

5.5. The Customer shall at its sole expense, indemnify and hold Demodia harmless against all liability, including legal costs, claims, civil actions, damages, indirect or consequential damages, or expenses incurred by Demodia or for which Demodia may become liable due to any failure by the Customer or its employees or agents whether authorised or not, to comply with the obligations under the Principal Agreement or Data Protection Law.

5.6. The Customer warrants that the Principal Agreement and this DPA sets out the Customer’s complete and final Instruction to Demodia in relation to the Processing of Customer Personal Data and any additional Instructions outside the scope of the Principal Agreement will require prior written agreement between the Parties.

5.7. The Customer shall inform Demodia without undue delay and comprehensively about any errors or irregularities related to Data Protection Law.

5.8. The Customer shall inform Demodia, without delay, if the Processing includes special categories of Customer Personal Data as contemplated by Data Protection Law, including without limitation: financial, medical and health-related information, information regarding children, or any type of Processing of Personal Data that is afforded a higher level of protection under Data Protection Law. In such an event, the Customer shall ensure that any required explicit consent from the data subjects are obtained in writing and securely stored, which shall be specific, informed and unambiguous, as per GDPR Article 9 requirements. 

6.  Demodia's Obligations

6.1. Compliance with Instructions

6.1.1. In relation to the Customer Personal Data, Demodia will comply (and will ensure that any of its personnel comply and use commercially reasonable efforts to ensure that its Contracted Sub-Processors comply), with Data Protection Law.

6.1.2. Demodia will collect, Process, and use Customer Personal Data only within the scope of the Customer’s written instructions and in accordance with Data Protection Law. If Demodia believes that any Instruction infringes Data Protection Law, it will inform the Customer without undue delay.

6.1.3  If Demodia is unable to Process Customer Personal Data as per Customer’s Instructions due to a legal requirement, Demodia will:

6.1.3.1. promptly notify the Customer of that legal requirement before continuing with the Processing; and

6.1.3.2. cease all Processing (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as the Customer issues new instructions with which we are able to comply.

6.1.4. If section 6.1.3 of this DPA is invoked, Demodia will not be liable to the Customer under the Principal Agreement for any failure to perform until such time as the Customer issues new, lawful Instructions.

6.1.5. Demodia will facilitate the Customer’s compliance obligations to implement security measures with respect to Customer Personal Data (including if applicable, the Customer’s obligations pursuant to Articles 32 to 36 (inclusive) of the GDPR) by: (i) implementing and maintaining the security measures described in terms of our Information Security Policies; (ii) complying with the terms of section 6.3 (Personal Data Breaches) of this DPA; (iii) assisting Customer in meeting its obligations in relation to a data protection impact assessment or prior consultation with a supervisory authority; and (iv) providing the Customer with information in relation to the Processing in accordance with section 7 (Audits) of this DPA.

6.2. Confidentiality

6.2.1. Demodia will ensure that any personnel, whether they are employed or contracted as such, who are under Demodia’s authority and who are authorised to Process Customer Personal Data are subject to confidentiality obligations with respect to Customer Personal Data.

6.2.2. The undertaking of confidentiality in section 6.2.1 shall continue after the termination of the Processing activities to which the duty of confidentiality relates.

6.2.3. Such Confidentiality clause does not apply when information is disclosed by the Processor in compliance with a legal requirement of a government agency or otherwise where disclosure is required by force of governing law as specified under the Principal Agreement, provided always that the Processor should, to the extent reasonably possible whilst complying with the governing law as specified under the Principal Agreement, notify the Controller of such requirements prior to any such disclosure and provide the Controller with a reasonable opportunity to contest the requirement to disclose the information or to limit the extent of the disclosure.

6.3. Personal Data Breaches

6.3.1. Demodia will notify the Customer as soon as possible after becoming aware of any Personal Data Breach affecting Customer Personal Data.

6.3.2. At the Customer’s request, Demodia will promptly provide the Customer with all reasonable assistance to enable the Customer to notify the competent Supervisory Authority/ies and/or affected Data Subjects about any relevant Personal Data Breaches if Customer is required to do so under Data Protection Law.

6.4. Data Subject Requests

6.4.1. Demodia will provide reasonable assistance including the implementation of reasonable and appropriate technical and organisational measures, to enable Customer to respond to any Data Subjects seeking to exercise their rights under Data Protection Law (including their right to access, rectification, restriction, deletion, or portability of Customer Personal Data), to the extent permitted by the law. If such a request is made directly to Demodia, Demodia will promptly inform the Customer and will advise Data Subjects to submit their request to the Customer. The Customer shall be solely responsible for responding to any Data Subjects’ requests. The Customer shall reimburse Demodia for any costs arising from this assistance.

6.4.2. Without prejudice to clause 6.2.3, Demodia agrees to obtain the written consent from the Customer prior to any request for disclosure of Customer Personal Data by a Data Subject, and where this request is not of a legal nature to which Demodia must adhere to.

6.5. Data Security

6.5.1. Taking into account the state of the art, nature, and level of sensitivity of the Customer Personal Data, Demodia shall implement appropriate measures toward achieving the required technical and organisational measures to adequately protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures are outlined in Exhibit 1.

6.6. Contracted Sub-Processors

6.6.1. The Customer authorises Demodia to engage Sub-Processors to fulfil its obligations defined in the Principal Agreement (each an “Infrastructure Sub-Processor” or a “Affiliate Sub-Processor") in accordance with this Section 6.6. For these purposes, Demodia may use Demodia Affiliates and the third parties listed in Exhibit 2 of this DPA as Contracted Sub-Processors.

6.6.2. If Demodia intends to instruct a Contracted Sub-Processor other than the Contracted Sub-Processors listed in Exhibit 2 of this DPA, Demodia will notify the Customer in writing (including by way of email to the Customer email address(es) on record) and will give the Customer the opportunity to object to the proposed engagement of the new Contracted Sub-Processor within 14 (fourteen) days of being notified, failing which Demodia will be entitled to appoint the Contracted Sub-Processor. Should Customer object to the engagement of a Contracted Sub-Processor, such objection must be based on reasonable grounds (e.g., if the Customer proves that significant risks to the protection of its Customer Personal Data exist at the Contracted Sub-Processor). If Demodia and Customer are unable to resolve such objections, either Party may terminate the Principal Agreement in accordance with its provisions relating to termination.

6.6.3. Where Demodia engages a Contracted Sub-Processor, Demodia will enter into a contract with the Contracted Sub-Processor that imposes on the Contracted Sub-Processor the same obligations that apply to Demodia and the Customer under this DPA.

6.6.4. Where a Contracted Sub-Processor is engaged, the Customer is granted the right to monitor and inspect the Contracted Sub-Processor’s activities in accordance with this DPA and Data Protection Law, including to obtain information from Demodia, upon written request, on the substance of the contract and the implementation of the data protection obligations under the contract with the Contracted Sub-Processor, where necessary, by inspecting the relevant contract documents, provided that Demodia’s engagement with the Contracted Sub-Processor does not prohibit such disclosure. Demodia reserves the right to redact sections in such contract documents that are of a commercially sensitive nature.

6.6.5. The provisions of this section shall mutually apply if Demodia engages a Contracted Sub-Processor in a country which does not provide an adequate level of protection for Customer Personal Data as provided for in Data Protection Law. In this event, Demodia will implement measures to ensure an "adequate level of protection”, including, but not limited to, the execution of standard contractual clauses issued pursuant to Data Protection Law by and between Demodia and the Contracted Sub-Processor. 

6.7. Deletion or Retrieval of Customer Personal Data

6.7.1. Other than to the extent required to comply with Data Protection Law, following termination or expiry of the Principal Agreement, Demodia will, at the choice of the Customer, delete or return all Customer Personal Data (including copies thereof) processed pursuant to the Principal Agreement.

6.7.2. The Customer shall, upon termination or expiration of the Principal Agreement and by way of issuing an instruction, stipulate, within a period of time set by Demodia, whether Customer Personal Data should be returned or deleted. Any additional cost arising in connection with the return or deletion of Customer Personal Data shall be borne by the Customer.

7.  Audits

7.1. The Customer may, subject to the confidentiality terms in the Principal Agreement, prior to the commencement of Processing, at annual intervals hereafter, or where a Personal Data Breach is reasonably suspected to have occurred, audit the technical and organisational measures taken by Demodia in terms of the Data Protection Laws. For such purpose, the Customer may:

7.1.1. obtain information from Demodia, demonstrating Demodia’s compliance with the terms of this DPA;

7.1.2. request an attestation or certificate by an independent professional expert with respect to Demodia’s security measures, or

7.1.3. upon reasonable and timely advance agreement, during regular business hours and without interrupting business operations, conduct an on-site inspection of the business operations or, subject to appropriate confidentiality undertakings, have the same conducted by a qualified third party which shall not be a competitor of Demodia. The Controller will impose sufficient confidentiality obligations on its auditors and will be liable for this aspect.

7.2. Demodia shall, upon written request, and within a reasonable period of time provide the Customer with all information necessary for purposes of this section 7 of the DPA, to the extent that such information is within the Demodia’s control and Demodia is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party. 

7.3. The Customer must, or will request that its external auditors, send a draft version of the audit report to Demodia. Demodia has the right to submit its comments within a reasonable timeframe. The auditor shall take the comments of Demodia into account and include these comments in its final report submitted to the Customer.

7.4. The Customer shall bear the expenses unless any serious non-compliance or breach of data protection obligations is found, in which case the party responsible for the violation shall bear the audit costs. The allocation of costs shall be determined based on the proportionate responsibility for the non-compliance or breach. Both Parties shall cooperate in good faith to minimise audit expenses while ensuring a thorough assessment of data protection practices.

8.  Liability

8.1. The Customer shall be liable for, and shall indemnify (and keep indemnified) Demodia in respect of any and all action, fines, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, Demodia, including any Contracted Sub-Processor, arising directly or in connection with:

8.1.1. any non-compliance by the Customer with Data Protection Law;

8.1.2. notwithstanding section 6.1.1, any Customer Personal Data Processing carried out by Demodia or its Contracted Sub-Processor in accordance with Instructions given by the Customer that infringe Data Protection Law; or

8.1.3. any breach by the Customer of its obligations under this DPA, except to the extent that Demodia or any Contracted Sub-Processor is liable under section 8.2 below.

8.2. Demodia shall be liable for, and shall indemnify (and keep indemnified) the Customer in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Customer, arising directly with Demodia’s Customer Personal Data Processing activities that are subject to this DPA:

8.2.1. only to the extent that the same results from Demodia’s breach of this DPA;

8.2.2. subject to Section 8.4 below, only to the extent that the same results from a Personal Data Breach by a Contracted Sub-Processors or a Contracted Sub-Processor’s non-compliance with Data Protection Law; and

8.2.3. not to the extent that the same is or are contributed to by any breach of this DPA by the Customer.

8.3. The Customer shall not be entitled to claim back from Demodia or its Contracted Sub-Processors any sums paid in compensation by the Customer in respect of any damage to the extent that the Customer is liable to indemnify Demodia under section 8.1 above.

8.4. Notwithstanding anything to the contrary in this DPA, the maximum aggregate liability of Demodia, howsoever arising due to a Personal Data Breach at a Contracted Sub-Processor or a Contracted Sub-Processor’s non-compliance with Data Protection Law, shall be limited to 2 (two) times the amount paid to Demodia for the Services during the 12 (twelve) month period preceding the date on which the claim arose.

9. General Provisions

9.1  Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.

9.2. This DPA is applicable for the duration of the Principal Agreement with surviving provisions applying as the applicable law and context dictates.

9.3. This DPA shall be governed in accordance with the governing law set out in the Principal Agreement.

Exhibit 1: Details of Customer Personal Data and Processing Activities

1.  Subject matter of Processing:

The subject matter of the Processing of Customer Personal Data pertains to the provision of Services in terms of the Principal Agreement. 

2.  Nature and purpose of Processing:

The nature and purpose of Processing pertain to the provision of the Service to Customer, pursuant to the Principal Agreement, this DPA and the Customer’s Instructions.

3.  Duration of the Processing:  

Until the earliest of (i) expiry/termination of the Principal Agreement, or (ii) the date upon which Processing is no longer necessary for the purposes of either Party performing its obligations under the Principal Agreement (to the extent applicable).

4.  Categories of Data Subjects:

Customer contacts and other end users, including the Customer’s employees, contractors, collaborators, customers, prospects, suppliers, and subcontractors. 

Data Subjects also include individuals attempting to communicate with or transfer Customer Personal Data to the Customer’s end users.

5.  Categories of Customer Personal Data:

  • Contact Information, the extent of which is determined and controlled by the Customer in its sole discretion.
  • Biographical data, demographic data, personal statements, personal interests, purchase history.
  • Employment details & history, employee performance data.
  • Details of goods or services provided to or for the benefit of individuals.
  • Navigational data, browsing history and cookies (including website usage information).
  • Email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end-users via the HubSpot subscription service.

6.  Special categories of Customer Personal Data:

Special categories of Customer Personal Data will be Processed under this DPA. The Customer is obligated to inform Demodia if any special categories of Customer Personal Data will be Processed in terms of Section 5.8 of the DPA.

7.  Description of the technical and organisational measures implemented by Demodia:

  • Demodia will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia:
  • the pseudonymisation and encryption of personal data where possible;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
  • the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

For transfers to Contracted Sub-Processors, the specific technical and organisational measures to be taken by the Contracted Sub-Processors to be able to provide assistance to the Controller and, for transfers from a Processor to Contracted Sub-Processors, to the data exporter:

When Demodia engages a Contracted Sub-Processor under this DPA, Demodia and the Contracted Sub-Processor must enter into an agreement with data protection terms substantially similar to those contained in this DPA.

Demodia must ensure that the agreement with each Contracted Sub-Processor allows Demodia to meet its respective obligations with respect to the Customer. In addition to implementing technical and organisational measures to protect Customer Personal Data, a Contracted Sub-Processors must:

  • notify Demodia in the event of a Personal Data Breach;
  • delete Customer Personal Data when instructed by Demodia in accordance with the Customer’s Instructions to Demodia;
  • establish clear procedures to promptly respond to data subject’s request regarding their Special Category Data;
  • not engage additional Contracted Sub-Processors without Demodia’s authorisation; and
  • not process Customer Personal Data in a manner which conflicts with the Customer’s instructions to Demodia.

8.  Data Breach Notification Procedures:

In the event of a personal data breach involving Special Category Data, Demodia shall follow robust procedures to promptly detect, report, and investigate the breach in compliance with GDPR Article 33 and 34.

9.  Frequency of transfers:

Personal Data is transferred in accordance with the Customer’s Instructions to the Demodia to Process Customer Personal Data for the provision of the Services under the Principal Agreement.

10.  Audits and Reviews:

Demodia shall, upon written request, be allowed to conduct Data Protection Impact Assessments (DPIA’s) for processing activities involving Special Category Data to identify and mitigate risks to data subject’s rights and freedoms.

11.  Further Processing:

Demodia will not carry out further Processing on Customer Personal Data. Processing is limited to what is strictly necessary for the provision of the Services.

12.  Controllership Roles:

Data Exporter: Customer, acting as a Controller or Processor in terms of Section 4.1 of this DPA.

Data Importer: Demodia, acting as a Processor or sub-Processor in terms of Section 4.1 of this DPA.

Exhibit 2: List of Contracted Processors

Demodia infrastructure Sub-Processors

Name of 3rd Party / Sub-Processor

Applicable Services

Purpose of Processing

Location of Processing

Google Workspace

Email and file hosting provider

Infrastructure

EU

HubSpot

Store and manage customer and prospect data

CRM

US

Bexio

Manage financial and accounting data

Legal bookkeeping and accounting

CH