logo
Sign in

Data Processing Agreement

1. Background

This Data Processing DPA (“DPA”) supplements the Terms of Service (the “Agreement”) entered into by and between Customer (as defined in the Agreement) and Namespace Labs, Inc a Delaware corporation located at 2261 Market Street #5037 San Francisco, CA 94114 (“Namespace”). By executing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates (defined below), if any. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement.

2. Definitions

Unless otherwise defined in this DPA or in the Agreement, terms used in this DPA, such as "Data Controller", "Data Processor", "Data Subject" and "Personal Data" have the meanings as defined in the Data Protection Regulation.

Term
Definition
Data Protection Regulation
means all applicable laws relating to data protection, including without limitation the GDPR and the laws implementing EU Directive 2002/58/EC and any amendments to or replacements for such laws and regulations.
GDPR
means the General Data Protection Regulation (EU) 2016/679.
Personal Data Breach
means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Standard Contractual Clauses
means the contractual clauses issued by the European Commission by the decision 2021/914/EU for international transfers of Personal Data.
Sub-processor
means any person and third parties appointed by or on behalf of Namespace to process Personal Data on behalf of the Customer in connection with the Agreement.
Web Site
means Namespace's web site available at namespace.so and Namespace’s console available at cloud.namespace.so with which the Customer may use the cloud services.

3. Processing of personal data

Processing of Personal Data under this DPA is for the purpose of providing the Services to the Customer. Processing of Personal Data in this context refers to storage, maintenance and other processing activities initiated by the Customer, depending on which Services the Customer has chosen to use. The categories of Data Subjects and the types of Personal Data processed are defined in the Appendix 1 (Details of processing).

Personal Data may be processed as long as the Services are provided under the Agreement and after that if required by applicable law or contractual obligations or rights of either Party.

4. Customer's instructions

Namespace shall process Personal Data in accordance with the Customer's written instructions as established in this DPA. The Parties agree that this DPA is the Customer's complete written instruction to Namespace in the Customer's role as the Data Controller. Additional instructions require prior written agreement between the Parties.

5. Namespace’s general obligations

Namespace shall, at the Customer's written request and the Customer's sole cost and expense, assist the Customer by providing such readily available information, or creating such information, as the Customer may reasonably require and which the Customer does not have, in complying with the requests of the Data Subjects or supervisory authority or any other law enforcement or regulatory authority.

Namespace shall inform the Customer, as soon as reasonably practicable, if it receives a request from a Data Subject seeking to exercise his or her rights under the Data Protection Regulation.

Namespace shall maintain records of processing activities under its responsibility to ensure Namespace's own compliance as a Data Processor with the Data Protection Regulation, and upon the Customer's written request Namespace shall make available to the Customer such records to the extent necessary to demonstrate compliance with Namespace’s obligations set out in this DPA and in the Data Protection Regulation.

6. Data security

Namespace shall implement and maintain appropriate technical and organizational measures to ensure an appropriate level of security of the Personal Data and to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure for the purposes of the Cloud Services. Namespace is committed to ensure appropriate level of security of the Personal Data.

In the event of a Personal Data Breach, Namespace shall notify the Customer without undue delay after becoming aware of the Personal Data Breach and take reasonable steps to mitigate any damage resulting from such breach.

The notification shall contain information Namespace is reasonably able to disclose to the Customer, including following information: a description of the nature of the Personal Data breach, including where possible the categories of Data Subjects and the Personal Data concerned; the name and contact details of contact point where more information can be obtained; a description of likely consequences of the Personal Data Breach; and a description of the measures taken or proposed to be taken to address the Personal Data Breach.

The information may be provided in phases if it is not possible to provide the information at the same time.

Namespace shall cooperate with and assist the Customer, at the Customer's written request and the Customer's sole cost and expense, in relation to the Personal Data Breach notifications made to supervisory authority as required under the Data Protection Regulation. Namespace shall document the Personal Data Breaches and have the documentation available to the Customer upon the Customer's written request.

7. Sub-processors

Customer acknowledges and agrees that Namespace may (1) engage its affiliates and the Authorized Sub-processors listed in Appendix B (the “List”) to this DPA to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data.

By way of this DPA, Customer provides general written authorization to Namespace to engage sub-processors as necessary to perform the Services.

The List may be updated by Namespace from time to time. Namespace may provide a mechanism to subscribe to notifications of new Authorized Sub-Processors and Customer agrees to subscribe to such notifications if available.

At least fifteen (15) days before enabling any third party other than existing Authorized Sub-Processors to access or participate in the processing of Personal Data, Namespace will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Namespace within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Namespace from offering the Services to Customer.

If Customer reasonably objects to an engagement in accordance with the previous paragraph, and Namespace cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Namespace. Discontinuation shall not relieve Customer of any fees owed to Namespace under the Agreement.

Namespace shall use its commercially reasonable efforts to ensure that its Sub-processors are subject to similar data protection obligations, in particular in terms of providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Regulation, as set out in this DPA. Namespace remains responsible for its Sub-processors and their compliance with the obligations of this DPA.

8. Transfers of personal data

The Customer accepts that Namespace; (i) performs the international data transfer of Personal Data in accordance with the Standard Contractual Clauses (processor-to-processor module) entered into by Namespace (as a data exporter) and the Sub-processor (as a data importer) or; (ii) agrees the Sub-processor to carry out the transfer in accordance with the Standard Contractual Clauses (processor-to-processor module) entered into by the Sub-processor group companies (Sub-processor’s EEA entity as a data exporter and third country entity as a data importer), as applicable.

In case transfers to third countries or international organizations, which Namespace has not been instructed to perform by the Customer, are required under EU or Member State law to which Namespace is subject, Namespace shall inform the Customer of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.

Namespace is entitled to transfer personal data to the approved sub-processors in third countries listed on Appendix B. The legal basis for this transfer is the European Commission's Standard Contractual Clauses.

9. Auditing

At the Customer's written request and the Customer's sole cost and expense, the Customer is entitled, once every twelve (12) months, to audit Namespace's compliance with its obligations under the Data Protection Regulation and this DPA.

The audit report and related information shall at all times be deemed as Namespace's confidential information.

10. Data confidentiality

Namespace will not access or use, have visibility or disclose to any third party, any data that the Customer has input into the Services, except, if specifically requested in writing by the Customer in order to provide customer-specific support services as requested and instructed by the Customer.

If a governmental body sends Namespace a demand for the data input into the Services, Namespace will do its best efforts to redirect the governmental body to request that data directly from the Customer. If compelled to disclose Customer Data to a governmental body, then Namespace will only disclose the Personal Data strictly to the extent it is legally required to do so and shall give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy unless Namespace is legally prohibited from doing so.

11. Term and termination

This DPA shall become effective in parallel with the Service Agreement and shall continue in force until the termination of the Service Agreement or as long as Namespace processes Personal Data on behalf of the Customer.

If not instructed otherwise in writing by the Customer and unless legally required to keep the Personal Data, Namespace shall delete and destroy the Personal Data processed hereunder the latest within ninety (90) days' of the termination of the Agreement or after the maximum data retention period permitted by the technology of the relevant Service. In case the Customer demands that the Personal Data are returned to the Customer or to a third party, the Customer will pay Namespace for any additional costs and expenses arising out of such return of the Personal Data.

Appendix A - Details of processing

This Appendix forms part of this DPA describing the details of personal data to be processed by Namespace.

The Customer has full control of what personal data will be processed by uploading such personal data into the Services.

Data subjects

  • Prospects, customers, business partners, and vendors of the Customer (who are natural persons).
  • Employees or contact persons of the Customer’s prospects, customers, business partners and vendors.
  • Employees, agents, advisors, and freelancers of the Customer (who are natural persons).
  • Individuals authorized by the Customer under the Agreement

Categories of personal data

  • Full name
  • Title, position
  • Email address, address
  • Phone number

Special categories of personal data - No special categories of Personal Data are processed.

Subject matter of the processing - Hosting, storing and maintenance for the data Customer has input to the Cloud Services.

For clarity, the Customer is the Data Controller of, and this DPA is only applied to, the Personal Data input to the Cloud Services by Customer.

Appendix B - List of Sub-processors

To obtain the list of sub-processors, please head to trust.namespace.so/subprocessors.