Data Processing Addendum

1. Background

   1. In accordance with clause 10 of the Agreement, this Data Processing Addendum ("DPA") sets out the basis on which Astrada uses the Customer Personal Data (as defined below) for the purposes of providing the Astrada Service. 
   2. In the event of a conflict between any of the provisions of this DPA and the remaining provisions of the Agreement, the provisions of this DPA shall prevail. 
   3. Both parties will comply with all applicable requirements of the Data Protection Laws (as defined below). This DPA is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Laws.
      
      

2. Definitions

   1. Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in clause 2 of the Agreement, and the following capitalized terms used in this DPA shall be defined as follows:
      1. "Customer Personal Data" means the “personal data” or “personal information” (as defined in the Data Protection Laws) of Users supplied by the Customer for the purposes of Astrada providing the Astrada Service;
      2. “Data Protection Laws” means all laws relating to the use, protection and privacy of Customer Personal Data (including, without limitation, the privacy of electronic communications) which are from time to time applicable to the Customer, Astrada or the Astrada Service;
      3. "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data; and
      4. "Sub-processor" means any processor engaged by Astrada that receives from Astrada any Customer Personal Data.
         
         

3. DATA PROCESSING

   1. Instructions for Data processing.
      1. Astrada will only process Customer Personal Data in accordance with: (i) the Agreement (including the Permitted Use), to the extent necessary to provide the Astrada Service; and (ii) the Customer's written instructions; unless processing is required by applicable laws to which Astrada is subject, in which case Astrada shall, to the extent permitted by such law, inform the Customer of that legal requirement before processing that Customer Personal Data.
      2. The Agreement (subject to any changes to the Astrada Service agreed between the parties), including this DPA, shall be the Customer's complete and final instructions to Astrada in relation to the processing of Customer Personal Data.
      3. Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Astrada on additional instructions for processing
   2. Required consents and disclosures. Where required by applicable Data Protection Laws, the Customer will ensure that it has obtained or will obtain all necessary consents, and has provided appropriate disclosures and notices, for the processing of Customer Personal Data by Astrada and the Card Networks in accordance with the Agreement (including the Permitted Use), including consent from Users to enable the Card Networks to collect, process and share Customer Personal Data relating to the Users for the purposes set out in the Agreement (including this DPA).
      
      

4. TRANSFER OF PERSONAL DATA

   1. Authorized Sub-processors. 
      1. The Customer agrees that Astrada may use subcontractors on Astrada’s approved sub-processor list (“Sub-processor List”) to fulfill its contractual obligations under the Agreement, and Astrada shall ensure that it only appoints Sub-processors on the Sub-processor List. Astrada shall not update the Sub-processor List without first notifying Customer and giving the Customer the opportunity to object to such update. The Sub-processor List is available upon Customer request to support@astrada.co. Customer may object to such update by notifying Astrada and discussing a reasonable alternative in good faith. If an alternative cannot be agreed, Customer or Astrada may terminate the Agreement on 30 days’ notice.
      2. Astrada shall enter into a written agreement with Sub-processors which imposes materially the same obligations on the Sub-processor with regards to their processing of Customer Personal Data as are imposed on Astrada under this DPA. 
   2. Liability of Sub-processors. Astrada shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Sub-processor appointed by Astrada as if they were the acts and omissions of Astrada.
      
      

5. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS

   1. Astrada Security Obligations. Astrada shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures set out in ANNEX 1.
   2. Security Audits. Astrada shall make available to the Customer, and the Customer may audit (using independent third party auditors at Customer’s cost, upon at least 30 days’ notice, and no more than once annually), all information reasonably necessary to demonstrate compliance with this DPA (including the technical and organizational measures as set out in ANNEX 1).  The Customer’s right to audit in this paragraph 5.2 is subject always to the confidentiality provisions of the Agreement. Customer acknowledges and agrees that Astrada may, at its discretion, provide a current audit report (such as PCI-DSS compliance audit) in lieu of granting audit access provided that such audit report adequately addresses the scope of processing under this DPA. .
   3. Security Incident Notification. If Astrada or any Sub-processor becomes aware of a Security Incident, Astrada will (a) notify the Customer of the Security Incident within seventy-two (72) hours, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
   4. Astrada Employees and Personnel. Astrada shall treat the Customer Personal Data as the Confidential Information of the Customer, and shall ensure that:
      1. access to Customer Personal Data is limited to those employees or other personnel who have a business need to have access to such Customer Personal Data; and 
      2. any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
         
         

6. INDIVIDUALS’ RIGHTS

   1. Requests from individuals.
      1. Save as required (or where prohibited) under applicable law, Astrada shall notify the Customer of any request received by Astrada or any Sub-processor from an individual to exercise their rights in respect of their personal data included in the Customer Personal Data under Data Protection Laws (“Individual Requests”), and shall not respond to any such request. 
      2. Astrada shall use reasonable efforts to assist the Customer to fulfil the Customer’s obligation to respond to Individual Requests.
   2. Government Disclosure. Astrada shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority), unless otherwise prohibited by law or a legally binding order of such body or agency. 
      
      

7. DELETION OF DATA

   1. Subject to paragraph 7.2 below, the Customer may in its absolute discretion notify Astrada in writing within thirty (30) days of the date of termination of the Agreement to require Astrada to delete and procure the deletion of all copies of Customer Personal Data processed by Astrada. Astrada shall, within 13 months of the date of termination of the Agreement:
      
      1. comply with any such written request; and
      2. procure that its Sub-processors delete all Customer Personal Data processed by such Sub-processors.
   2. Astrada and its Sub-processors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Astrada shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

ANNEX 1

Technical and Organizational Security Measures

1. Astrada maintains internal policies and procedures, or procures that its Sub-processors do so, which are designed to:
   1. secure any Customer Personal Data processed by Astrada against accidental or unlawful loss, access or disclosure;
   2. identify reasonably foreseeable and internal risks to security and unauthorized access to the Customer Personal Data processed by Astrada;
   3. minimize security risks, including through risk assessment and regular testing.
2. Astrada will, and will use reasonable efforts to procure that its Sub-processors, conduct periodic reviews of the security of its network and the adequacy of its information security program as measured against industry security standards and its policies and procedures.
3. Astrada will, and will use reasonable efforts to procure that its Sub-processors periodically, evaluate the security of its network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
4. Astrada is certified as a PCI-DSS Level 1 Service Provider.