Our policies and agreements governing the use of Astrada's services.
Last updated: July 23, 2024
In accordance with clause 10 of the Agreement, this Data Processing Addendum ("DPA") sets out the basis on which Astrada uses the Customer Personal Data (as defined below) for the purposes of providing the Astrada Service.
In the event of a conflict between any of the provisions of this DPA and the remaining provisions of the Agreement, the provisions of this DPA shall prevail.
Both parties will comply with all applicable requirements of the Data Protection Laws (as defined below). This DPA is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Laws.
Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in clause 2 of the Agreement, and the following capitalized terms used in this DPA shall be defined as follows:
Astrada will only process Customer Personal Data in accordance with: (i) the Agreement (including the Permitted Use), to the extent necessary to provide the Astrada Service; and (ii) the Customer's written instructions; unless processing is required by applicable laws to which Astrada is subject, in which case Astrada shall, to the extent permitted by such law, inform the Customer of that legal requirement before processing that Customer Personal Data.
The Agreement (subject to any changes to the Astrada Service agreed between the parties), including this DPA, shall be the Customer's complete and final instructions to Astrada in relation to the processing of Customer Personal Data.
Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Astrada on additional instructions for processing.
Where required by applicable Data Protection Laws, the Customer will ensure that it has obtained or will obtain all necessary consents, and has provided appropriate disclosures and notices, for the processing of Customer Personal Data by Astrada and the Card Networks in accordance with the Agreement (including the Permitted Use), including consent from Users to enable the Card Networks to collect, process and share Customer Personal Data relating to the Users for the purposes set out in the Agreement (including this DPA).
The Customer agrees that Astrada may use subcontractors on Astrada's approved sub-processor list ("Sub-processor List") to fulfill its contractual obligations under the Agreement, and Astrada shall ensure that it only appoints Sub-processors on the Sub-processor List. Astrada shall not update the Sub-processor List without first notifying Customer and giving the Customer the opportunity to object to such update. The Sub-processor List is available upon Customer request to support@astrada.co. Customer may object to such update by notifying Astrada and discussing a reasonable alternative in good faith. If an alternative cannot be agreed, Customer or Astrada may terminate the Agreement on 30 days' notice.
Astrada shall enter into a written agreement with Sub-processors which imposes materially the same obligations on the Sub-processor with regards to their processing of Customer Personal Data as are imposed on Astrada under this DPA.
Astrada shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Sub-processor appointed by Astrada as if they were the acts and omissions of Astrada.
Astrada shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures set out in Annex 1.
Astrada shall make available to the Customer, and the Customer may audit (using independent third party auditors at Customer's cost, upon at least 30 days' notice, and no more than once annually), all information reasonably necessary to demonstrate compliance with this DPA (including the technical and organizational measures as set out in Annex 1). The Customer's right to audit in this paragraph is subject always to the confidentiality provisions of the Agreement. Customer acknowledges and agrees that Astrada may, at its discretion, provide a current audit report (such as PCI-DSS compliance audit) in lieu of granting audit access provided that such audit report adequately addresses the scope of processing under this DPA.
If Astrada or any Sub-processor becomes aware of a Security Incident, Astrada will (a) notify the Customer of the Security Incident within seventy-two (72) hours, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
Astrada shall treat the Customer Personal Data as the Confidential Information of the Customer, and shall ensure that:
Save as required (or where prohibited) under applicable law, Astrada shall notify the Customer of any request received by Astrada or any Sub-processor from an individual to exercise their rights in respect of their personal data included in the Customer Personal Data under Data Protection Laws ("Individual Requests"), and shall not respond to any such request.
Astrada shall use reasonable efforts to assist the Customer to fulfil the Customer's obligation to respond to Individual Requests.
Astrada shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority), unless otherwise prohibited by law or a legally binding order of such body or agency.
Subject to the paragraph below, the Customer may in its absolute discretion notify Astrada in writing within thirty (30) days of the date of termination of the Agreement to require Astrada to delete and procure the deletion of all copies of Customer Personal Data processed by Astrada. Astrada shall, within 13 months of the date of termination of the Agreement:
Astrada and its Sub-processors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Astrada shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
Astrada maintains internal policies and procedures, or procures that its Sub-processors do so, which are designed to:
Astrada will, and will use reasonable efforts to procure that its Sub-processors, conduct periodic reviews of the security of its network and the adequacy of its information security program as measured against industry security standards and its policies and procedures.
Astrada will, and will use reasonable efforts to procure that its Sub-processors periodically, evaluate the security of its network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
Astrada is certified as a PCI-DSS Level 1 Service Provider.