Visage
Menu

Data Processing Addendum

Visage Data Processing Addendum

Updated:

This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses (collectively, the “DPA), sets forth the parties’ obligations with respect to the processing of Personal Data in connection with the Service, and is incorporated into and forms part of the terms and conditions of the Master Service Agreement or any other agreement under which Visage, Inc. (“Visage) the party identified as the customer in the Agreement or the Order Form(s) (“Customer).

Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Permitted Affiliates.  For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and such Permitted Affiliates.

  1. Definitions

1.1 “Affiliate” means any entity under the control of a party where “control” means ownership of or right to control greater than 50% of the voting securities of such entity.

1.2

“Data Protection Laws” means as applicable to a party’s processing of Personal Data under the Agreement: (i) European Data Protection Laws; and (iii).

“Europe” means, for the purposes of this DPA, the European Economic Area (“EEA) and Member States, Switzerland and the United Kingdom.

“European Data Protection Laws” means all data protection and privacy laws and regulations enacted in Europe, including: (i) Regulation (EU) 2016/679 (“GDPR”); (ii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, “UK Data Protection Laws“); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“);and () all applicable national data protection and privacy laws made under or pursuant to (i), (ii), (iii); in each case, as may be amended, superseded or replaced from time to time.

“Permitted Affiliate” means any Affiliate of Customer which: (i) is subject to Data Protection Laws; (ii) is permitted to use the services provided by Visage pursuant to the Agreement; and (iii) has not signed its own Order Form or Agreement with Visage and is not a “Customer” as defined under the Agreement.

“Personal Data” means any information which is protected as “personal data”, “personally identifiable information”, or “personal information” under Data Protection Laws.

“Security Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to.

“Sub-processor” means any third party rocessor engaged by Visage to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.  Sub-processors may include third parties or Visage Affiliates but shall exclude any Visage employee, independent contractor or consultant.

The terms shall have the meaning given to them Data Protection Laws.

2. Scope and Applicability of this DPA

2.1 Scope This DPA applies where and only to the extent that either party processes Personal Data that is subject to Data Protection Laws in connection with the Service provided by Visage to Customer pursuant to the Agreement

2.2 Role of the Parties The parties acknowledge and agree that:

a) Customer is a of Customer Profiles and Visage shall process Customer Profiles only as a on behalf of Customer; and

b) each party is a of Visage Profiles and shall process Visage Profiles in accordance with Agreement (including this DPA) and Data Protection Laws.

3 Obligations

3.1

Processing Instructions  Visage shall for the purposes described in the Agreement (including this DPA) and only in accordance with Customer’s documented lawful instructions. The parties agree that the Agreement sets out the Customer’s complete and final instructions to Visage in relation to the processing of Customer Profiles and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.

Sub-processing Customer agrees that Visage may engage Sub-processors to process Customer Profiles on Customer’s behalf for the purposes of providing the Service. The list of Sub-processors currently engaged by Visage available here: https://visage.jobs/sub-processors-list/ (“Sub-processor List”). Visage shall provide Customer with a mechanism to subscribe to notifications of new Sub-processors, to which Customer may subscribe and if Customer subscribes, Visage shall notify Customer if it makes any changes to its Sub-processor List at least 10 days prior to any such change.

3.5

  1.  Visage shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that are necessary to confirm Visage’s compliance with this DPA provided that Customer shall not exercise this right more than once per calendar year

Where required by Data Protection Laws or a data protection authority, Visage shall allow Customer or another auditor approved by the parties to audit compliance with this DPA and inspect Visage’s facilities, equipment, documents and electronic data relating to the processing of the Customer Profiles by Visage, provided that: (i) such additional audit enquiries shall not unreasonably impact Visage’s regular operations. Customer and Visage shall mutually agree upon the scope, timing and duration of audit. Where applicable, the parties agree that Customer shall exercise its audit rights under the Standard Contractual Clauses by instructing Visage to comply with the audit measures described in Section 3..

Security Visage shall implement appropriate technical and organizational security measures to protect Customer Profiles from Security Breaches and preserve the security and confidentiality of Customer Profiles in accordance in accordance with the Visage security standards described (“Security Measures). Visage may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service.

Data Protection Impact Assessment  required under applicable Data Protection Laws and Customer does not already have access to the relevant information, Visage shall provide reasonably requested information regarding Visage’s processing of Customer Profiles to enable Customer to carry out data protection impact assessment or prior consultations with .

4.

4.1

  1. Purpose Limitation. Customer shall process Visage Profiles only for the purposes described in Annex A and consistent with consents given by the ata ubjects (the “Permitted Purpose).

Except as may be expressly stated in the applicable Order Form, permitted in writing by Visage or where required or necessary under applicable law, Customer will not sell, disclose, or share Visage Profiles (or any part or derivative thereof) with any third party (except for rocessors)

. Correspondence The parties shall, on request, provide each other with all reasonable and timely assistance and co-operation (at their own expense) to enable the other party to respond to.

. International Transfers

.1 Processing Locations.  Customer acknowledges and agrees that Visage may transfer and process Customer Profiles to and in the United States and other locations in which Visage, its Affiliates or its Sub-processors maintain data processing operations.  Visage shall at all times ensure such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.

.2 Cross Border Transfers. If either party's processing of Personal Data in connection with the Agreement involves a transfer of Personal Data that is subject to European Data Protection Laws to a country or territory outside Europe that is not deemed adequate under European Data Protection Laws, the parties agree to comply with the relevant cross border transfer mechanism set out in Annex C.

. Miscellaneous

.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.  If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict, as it relates to the subject matter of this DPA.

.2 Customer acknowledges that Visage may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, a European data protection authority, or any other US or European judicial or regulatory body upon their request.

.3 Notwithstanding anything to the contrary in the Agreement, Visage may periodically make modifications to this DPA as may be required to comply with Data Protection Laws.

.4 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

Annex A – Description of Processing

Annex B – Security Measures

Visage’s Security Measures to protect Customer Profiles can be found here: https://visage.jobs/security-measures/

We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept", you consent to our use of cookies. Read our Privacy Policy and Cookie Policy to learn more.