LogicManager Data Processing Agreement (DPA)
1. Scope and Applicability
This Data Processing Agreement (DPA) applies to LogicManager, Inc.’s (“LogicManager”) Processing of Personal Information on the Customer’s behalf as a “Processor” for the provision of the Services specified in the Master Subscription Agreement. Unless otherwise expressly stated in the Master Subscription Agreement, this version of the Data Processing Agreement shall be effective and remain in force for the term of the Master Subscription Agreement.
2. Definitions
In this DPA, unless otherwise defined herein, capitalized terms shall have the meanings ascribed to them in the Master Subscription Agreement (MSA) entered into between the Parties. For the avoidance of doubt, the definitions, rights, and obligations outlined in the MSA are hereby incorporated by reference into this DPA.
“Applicable Data Protection Law” means all data privacy or data protection laws or regulations globally that apply to the Processing of Personal Information under this Data Processing Agreement, including Applicable European Data Protection Law, Applicable UK Data Protection Law, the California Consumer Privacy Act as amended (“CCPA”) and other US State laws.
“Applicable European Data Protection Law” means (i) the EU General Data Protection Regulation EU/2016/679, as supplemented by applicable EU Member State law and as incorporated into the EEA Agreement; and (ii) the Swiss Federal Act of 19 June 1992 on Data Protection, as amended.
“Applicable UK Data Protection Law” means (i) the UK GDPR, meaning the EU General Data Protection Regulation EU/2016/679, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 pursuant to amendments to the EU General Data Protection Regulation EU/2016/679 made by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and 2020 and the Data; and (ii) the UK Data Protection Act 2018, as amended.
“Europe” means for the purposes of this Data Processing Agreement (i) the European Economic Area, consisting of the EU Member States, Iceland, Liechtenstein and Norway; and (ii) Switzerland.
“Individual” shall have the same meaning as the term “data subject” or the equivalent term under Applicable Data Protection Law.
“Personal Information” shall have the same meaning as the term “personal data”, “personally identifiable information (PII)” or the equivalent term under Applicable Data Protection Law.
“Regulator” shall have the same meaning as the term “supervisory authority”, “data protection authority” or the equivalent term under Applicable Data Protection Law.
“Process/Processing”, “Controller”, “Processor” have the meaning set forth under Applicable Data Protection Law.
“Service Provider”, “Sell”, “Share”, “Business Purpose”, and “Commercial Purpose” have the meaning set forth under the CCPA.
“Third Party Subprocessor” means a third party, other than an LogicManager Affiliate, which LogicManager subcontracts with and which may Process Personal Information as set forth in this Data Processing Agreement.
3. Responsibility for Processing of Personal Information and Description of Processing Activities
3.1 The Customer is a Controller and LogicManager is a Processor for the Processing of Personal Information as part of the provision of the Services. Each party is responsible for compliance with its respective obligations under Applicable Data Protection Law.
LogicManager will Process Personal Information during the Service Period of the Master Subscription Agreement solely for the purpose of providing the Services in accordance with the Master Subscription Agreement and this Data Processing Agreement.
3.2 In particular and depending on the Services, LogicManager may Process Personal Information for hosting and storage; backup and disaster recovery; incident management; applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; IT security purposes including incident management; maintenance and performance of technical support systems; and implementation, configuration and performance testing.
3.3 As part of the Services on the Controller’s Order Form, LogicManager may Process Personal Information about the Customer’s Individuals, including end users, employees, contractors, customers and clients.
3.4 Unless otherwise specified in the Master Subscription Agreement, the Customer may not provide LogicManager with any data that imposes specific data security or data protection obligations on LogicManager in addition to or different from those specified in the Data Processing Agreement or Master Subscription Agreement (e.g. payment card information). The Customer remains responsible for compliance with specific regulatory, legal or industry data security obligations which may apply to such data.
3.5 As a Data Processor, LogicManager will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Master Subscription Agreement, including for any Commercial Purpose, or (ii) outside of the direct business relationship between LogicManager and the Customer; or (c) combine Personal Information received from or on behalf of the Customer with Personal Information received from or on behalf of any third party, or collected from LogicManager’s own interaction with Individuals, except to perform a Business Purpose that is permitted by the CCPA and the Master Subscription Agreement. The parties acknowledge that the Personal Information the Customer discloses to LogicManager is provided only for the limited and specified Business Purposes set forth in the Master Subscription Agreement. LogicManager shall provide the same level of protection to Personal Information as required by the CCPA and as more fully set out in the Agreement. The Customer may take such reasonable steps as may be necessary (a) to remediate LogicManager’s unauthorized use of Personal Information, and (b) to ensure that Personal Information is used in accordance with the terms of this Data Processing Agreement by exercising the Customer’s rights under Section 8 of this Data Processing Agreement. LogicManager shall notify the Customer if it makes a determination that it is not able to meet its obligations under the CCPA in connection with its provision of the Services.
3.6 LogicManager and Controller’s Third Party Service providers do not act as processors or sub-processors of Personal Data with respect to each other. Customer recognizes that Third-Party Services are governed solely by the terms agreed upon between Customer and the Third-Party Service providers; LogicManager neither endorses nor supports Third-Party Services and bears no responsibility for them, including their privacy and data security policies. LogicManager and Third-Party Service providers do not serve as processors or sub-processors of Personal Data with respect to each other.
4. Privacy Inquiries and Requests from Individuals
4.1 If the Customer receives a request or inquiry from an Individual related to Personal Information Processed by LogicManager under the Master Subscription Agreement, including Individual requests to access, delete or erase, restrict, rectify, receive and transmit (data portability), block access to or object to Processing of specific Personal Information, the Customer can securely access their Services that holds Personal Information to address the request.
4.2 To the extent access to the Services are not available to the Customer or otherwise not responsive to the request or inquiry, the Customer can submit a “service request” via support@logicmanager.com (or other applicable primary support tool or support contact provided for the Services, such as the Customer Success Manager) with detailed written instructions to LogicManager on how to assist with such request.
4.3 If LogicManager directly receives any requests or inquiries from Individuals that have identified the Customer as the Controller, it will promptly pass on such requests to the Customer without responding to the Individual. Otherwise, LogicManager will advise the Individual to identify and contact the relevant controller(s).
5. LogicManager Affiliates and Third Party Subprocessors
To the extent LogicManager engages Third Party Subprocessors and/or LogicManager Affiliates, it requires that such entities are subject to the same level of data protection and security as LogicManager under the terms of this Data Processing Agreement and Applicable Data Protection Law. The Customer, upon written request, may receive a current list of Third Party Subprocessors and LogicManager Affiliates that may Process Personal Information on behalf of Controller. LogicManager remains responsible for the performance of the LogicManager Affiliates’ and Third Party Subprocessors’ obligations in compliance with the terms of the Master Subscription Agreement.
6. Cross-border data transfers
6.1 Personal Information will be stored in the data center in the geographic region specified in the Customer’s Order Form.
6.2 LogicManager may Process Personal Information by LogicManager employees globally as necessary to perform the Services, such as for support, incident management or data recovery purposes.
6.3 To the extent such global access involves a transfer of Personal Information subject to cross-border transfer restrictions under Applicable European Data Protection Law to countries outside Europe not covered by an adequacy decision, such transfers are subject to (i) LogicManager’s Binding Corporate Rules for Processors or BCR-p (also referred to as the LogicManager Processor Code) and (ii) the terms of Module 2 (Controller to Processor) of the EU Standard Contractual Clauses 2021/914 of 4 June 2021.
6.4 To the extent such global access involves a transfer of Personal Information subject to cross-border transfer restrictions under Applicable UK Data Protection Law, to countries outside the United Kingdom not covered by an Adequacy Decision by the UK ICO, such transfers are subject to (i) the terms of Module 2 (Controller to Processor) of the EU Standard Contractual Clauses 2021/914 of 4 June 2021 as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses version B1.0 (the “IDTA”).
6.5 To the extent such global access involves a transfer of Personal Information subject to cross-border transfer restrictions under other Applicable Data Protection Laws globally, such transfers shall be subject to (i) for transfers to LogicManager Affiliates, requires transfers of Personal Information to be made in compliance with Applicable Data Protection Law and applicable LogicManager security and data privacy policies and standards; and (ii) for transfers to Third Party Subprocessors, security and data privacy requirements consistent with the relevant requirements of this Data Processing Agreement and Applicable Data Protection Law.
7. Security and Confidentiality
7.1 LogicManager has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Information designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. These security measures govern all areas of security applicable to the Services, including physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures.
7.2 All LogicManager and LogicManager Affiliates employees, and Third Party Subprocessors that Process Personal Information, are subject to appropriate written confidentiality arrangements, including confidentiality agreements, regular training on Confidentiality and Information Security with LogicManager policies concerning protection of confidential information.
8. Incident Management and Notification
8.1 LogicManager has implemented controls and policies designed to detect and promptly respond to incidents that create suspicion of or indicate destruction, loss, alteration, unauthorized disclosure or access to Customer Data transmitted, stored or otherwise Processed. LogicManager will promptly define escalation paths to investigate such incidents in order to confirm if a Security Incident has occurred, and to take reasonable measures designed to identify the root cause(s) of the Security Incident, mitigate any possible adverse effects and prevent a recurrence.
8.2 LogicManager will notify the Customer if a Security Incident is confirmed without undue delay. As information regarding the Security Incident is confirmed to LogicManager, LogicManager will also provide the Customer with (i) a description of the nature and reasonably anticipated consequences of the Security Incident; (ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; and (iii) where possible, information about the types of information that were the subject of the Security Incident. The Customer agrees to coordinate with LogicManager on the content of the Customer’s intended public statements or required notices for the affected Individuals and/or notices to the relevant Regulators regarding the Security Incident.
9. Return or Deletion of Personal Information
See section 12 of Master Services Agreement that governs Customer Data (including Personal Information) after Agreement Expiration.
10. Legal Requirements
10.1 LogicManager may be required by law to provide access to Personal Information, such as to comply with a subpoena or other legal process, or to respond to government requests, including public and government authorities for national security and/or law enforcement purposes.
10.2 LogicManager will promptly inform the Customer of requests to provide access to Personal Information and use reasonable efforts to redirect the authority that made the request to the Customer, unless otherwise required by law.
11. Data Protection Officer
LogicManager has appointed a Director of Privacy and Security. Further details on how to contact LogicManager’s Director of Privacy is available upon request to privacy@logicmanager.com
v 12.26.2023