TenWeb Data Processing Agreement
- “Controller”, “Processor”, “Data Subject”, “Processing”, “Personal Data”, and “Personal Data Breach” shall have the meanings ascribed to them in Data Protection Laws.
- “Client Personal Data” means any Personal Data subject to the Data Protection Laws that Client provides, transfers, or makes accessible to TenWeb in connection with the Services.
- “Data Protection Laws” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and any similar or related implementing legislation by European Union or European Economic Area member states, the United Kingdom, or Switzerland.
In the course of providing the Services to the Client TenWeb may Process Client Data on behalf of the Client. This agreement applies to the cases when (i) TenWeb Processes Client Personal Data for or on behalf of the Client pursuant to the Agreement and (ii) the Data Protection Laws apply to such Client Personal Data. For the avoidance of doubt, by entering into this agreement, Client instructs TenWeb to process Client Personal Data only in accordance with applicable law: (a) to provide the Services; (b) as further specified via Client’s use of the Services (including the Dashboard and other functionality of the Services); (c) as documented in the form of the Terms of Service, including this Agreement; and (d) as further documented in any other written instructions given by Client and acknowledged by TenWeb as constituting instructions for purposes of this Agreement. TenWeb will comply with the instructions described in this section (Client’s Instructions) (including with regard to data transfers) unless Data Protection Laws to which TenWeb is subject requires other processing of Client Personal Data by TenWeb, in which case We will inform Client (unless that law prohibits Us from doing so on important grounds of public interest) via the Notification Email Address.
This Agreement takes effect on the date on which Client accepted, or the Parties otherwise agreed to. Upon proper termination of the Agreement and at the written direction of the Client, We will take reasonable measures to delete Client Personal Data or return Client Personal Data and copies thereof to the Client, subject to applicable laws requiring the continued storage of the Client Personal Data by Us.
Roles and Representations
For the purposes of this Agreement Client is the Controller or Processor, as applicable, and TenWeb is the Processor with respect to Client Personal Data. TenWeb shall only Process Client Personal Data in accordance with Data Protection Laws and Client’s documented instructions (including this Agreement. Client represents and warrants that he/she has obtained any required authorizations, consents, releases, or permissions, and provided all required privacy notices, regarding the Client Personal Data. For the avoidance of doubt, Client shall have sole responsibility for the accuracy, quality, and legality of all Client Personal Data and the bases on which it is collected from the Data Subject.
Nature and Purpose of the Processing
TenWeb will process Client Personal Data for the purposes of providing the Services to Client.
Categories of Data
Data relating to individuals provided to TenWeb via the Services, by (or at the direction of) Client or by Client End Users.
Data subjects include the individuals about whom data is provided to TenWeb via the Services by (or at the direction of) Client or by Client End Users.
Duration of the Processing
The Term plus the period from the expiry of the Term until deletion of all Client Data by TenWeb.
TenWeb employs tools that enable Client to delete Client Data during the Term in a manner consistent with the functionality of the Services. If Client uses the Services to delete any Client Data during the Term and that Client Data cannot be recovered by Client, this use will constitute an instruction to TenWeb to delete the relevant Client Data from Our systems in accordance with applicable law. We will do so within a maximum period of 60 days, unless Data Protection Laws require otherwise.On expiry of the Term, Customer instructs TenWeb to delete all Client Data (including existing copies) from TednWeb’s systems in accordance with applicable law. TenWeb will comply with this instruction within a maximum period of 60 days, unless Data Protection Laws require otherwise. You acknowledge and agree that You will be responsible for exporting, before the Term expires, any Client Data you wish to retain.
TenWeb will implement and maintain technical and organizational measures to protect Client Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. These include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of TenWeb’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. We may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. We will take appropriate steps to ensure compliance with the Security Measures by Our employees, contractors and Sub-processors to the extent applicable to their scope of performance.
- TenWeb uses Google Cloud Platform and AWS as sub-processor. By entering into this agreement you consent to our usage of Google Cloud Platform as sub-processor.
- From time to time TenWeb may engage other third-party sub-processors that Process Client Personal Data (“Sub-processors“) for the purposes of providing the Services. A current list of Sub-processors is available here.
- We have the right and You authorize us to engage new Sub-processors for the purpose of providing the Services. In case a new sub-processor is engaged, we will update the list of Sub-processors in Appendix A, and such updates shall be the sole means of providing notice of Sub-processor changes to the Client. You are responsible for regularly checking and reviewing the list of Sub-processors here.
- You have the right to object in writing to a new Sub-processor within ten (10) days of Us posting of the new Sub-processor and Your failure to do so shall constitute Your authorization of the new Sub-processor.
- If for whatever reason we are not able to address or provide alternative solution to your objection to a Sub-processor then You may choose to terminate the Agreement pursuant to the termination provisions in the Terms of Service, which shall be Client’s sole and exclusive remedy.
- We will impose obligations on Our Sub-processors that are the same as or substantially equivalent to those set out in this Agreement by way of written contract. TenWeb shall be liable to Client for the Sub-processors’ performance of its data protection obligations with respect to Client Personal Data.
Cross-border Data Transfers
- You choose the Google Cloud Platform data center(s) where your websites will be hosted. You acknowledge, agree, and understand that (a) all of your Client Personal Data will be automatically transferred and stored in the Google data center you choose, and (b) Client Personal Data may be transferred from the European Economic Area, the United Kingdom, or Switzerland to the country where the Google data center is located, depending on your choice.
- TenWeb and Google have agreed to the Google Cloud Platform Data Processing and Security Terms and EU Model Contract Clauses.
TenWeb shall assist the Client in ensuring compliance with Client’s obligations under the Data Protection Laws with respect to security, impact assessments, and consultations with supervisory authorities or regulators.
Personal Data Breach
Tenweb shall assist the Client in ensuring compliance with Client’s obligations under the Data Protection Laws with respect to a Personal Data Breach. In the event of a discovered Personal Data Breach, We will notify Client of such Personal Data Breach promptly and without undue delay after becoming aware of it and take reasonable steps to minimize harm and secure Client Data. We will notify You of any Personal Data Breach through an email You have provided Us during TenWeb Account creation and it is Your responsibility to ensure that said email address is current and valid. The Notification will describe, it is reasonably available to Us, details of the Personal Data Breach, including steps taken by Us to mitigate the potential risks and steps We recommend You to take to address the Personal Data Breach. Client is solely responsible for complying with Personal Data Breach notification laws applicable to Client and fulfilling any third party notification obligations related to any Personal Data Breach.
- You as a Client agree that you also have responsibilities to ensure Data security in addition to those implemented by TenWeb. You are solely responsible for your use of Services, including, but not limited to (i) appropriate use of the Services and employment of additional security controls; (ii) securing the account authentication credentials, systems and devices Client uses to access the Services; and (iii) backing up Your Client Data.
TenWeb’s notification of or response to a Personal Data Breach under this Section will not be construed as an acknowledgement by TenWeb of any fault or liability with respect to the Personal Data Breach.
Data Subject Rights and Requests
TenWeb shall assist Client, to the extent it is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising the Data Subject’s rights under the Data Protection laws. To this extent, in a manner consistent with the functionality of the Services, TenWeb will enable Client to access, rectify and restrict processing of Client Data, including via the deletion functionality, and to export Client Data. TenWeb will promptly notify Client if we receive a request from a Data Subject in relation to Client Personal Data. We will not independently take any action in response to a request from a Data Subject and will advise the Data Subject to submit their request to You and You will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
Audit and Inspection
- Subject to and conditioned on a written non-disclosure agreement, TenWeb shall provide Client with information reasonably necessary to demonstrate compliance with the obligations set forth in this Agreement.
- Any on-site audits shall be (i) subject to and conditioned on reasonable advance written notice, not less than sixty (60) days, to TenWeb; (ii) subject to and conditioned on a written non-disclosure agreement and a detailed written audit plan reviewed and pre-approved by TenWeb; (iii) limited to once every three (3) calendar years; (iv) at Client’s sole cost and expense; (v) limited in scope and purpose to evaluate a specifically identified suspected failure by TenWeb to comply with the provisions of this Agreement and only after Client has exhausted all other reasonable means as determined by TenWeb; and (vi) in the presence of a TenWeb representative without unreasonably disrupting TenWeb’s business operations.
List of Sub-processors
- Google Cloud Platform: We use Google Cloud servers to host and secure Client Websites and store data related to Client Websites.
- Amazon Web Services: We use Amazon Web Services to backup Client Websites.
- Zendesk: We use Zendeskto communicate with our customers and provide them support. Also, it is used to manage leads.
- Google Apps: We use Google/Google Apps to process email communication and manage online documents.
- Sendgrid: SendGrid is a cloud-based SMTP provider that we use to send transactional and marketing emails.
- Slack: We use Slack for internal communication and collaboration.
- Stripe: We use Stripe to process Client payments.