Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
By using the Services, you as the Customer accept this DPA and represent and warrant that you have full authority to bind the Customer to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Customer or any other entity, you should not provide Personal Data to us or use our Service.
In the event of any conflict between certain provisions of this DPA and the provisions of the Principle Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Principle Agreement solely with respect to the Processing of Personal Data.
“Agreement” means this Data Processing Agreement.
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq.
“Controller” is the party that determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada and the United States of America, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, and the CCPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
“Data Subject” is the identified or identifiable natural person that the Personal Data is related to.
“Data Transfer” means a transfer of Company Personal Data from the Company to a Contracted Processor; or an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
“EEA” means the European Economic Area;
"GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or consumer, which is processed by Paperturn solely on behalf of the Customer, under this DPA and the Agreement between the Customer and Paperturn.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” is the party that Processes Personal Data on behalf of the Controller.
“Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number; (c) financial, credit, genetic, biometric or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences; and/or (e) account passwords in unhashed form.
“Service or Service(s)” means the flipbook subscription services Paperturn provides in pursuance to the Principal Agreement.
“Standard Contractual Clauses” means the Standard Contractual Clauses between Controllers and Processors, and between Processors and Processors, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Subprocessor” means any third party that processes Personal Data under the instruction or supervision of Paperturn.
“UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
(2.2) Customer’s Processing of Personal Data Customer, in its use of the Services, and Customer’s instructions to the Processor, shall comply with Data Protection Laws. Customer shall establish and have any and all required legal bases in order to collect, Process and transfer to Processor the Personal Data, and to authorise the Processing by Processor, and for Processor’s Processing activities on Customer’s behalf, including the pursuit of ‘business purposes’ as defined under the CCPA.
(2.3) Processor’s Processing of Personal Data Paperturn, when Processing on the Customer’s behalf under the Agreement, shall Process Personal Data for the following purposes:
(i) Processing in accordance with the Principle Agreement and this DPA;
(ii) Processing for the Customer as part of its provision of the Services;
(iii) Processing to comply with the Customer’s reasonable and documented instructions, where such instructions are consistent with the terms of the Principle Agreement, regarding the manner in which the Processing shall be performed;
(iv) Processing as required under the laws applicable to Processor, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Processor shall inform Customer of the legal requirement before Processing, unless such law or order prohibit such information on important grounds of public interest.
(2.4) Details of the Processing The subject-matter of Processing of Personal Data by Paperturn is the performance of the Services pursuant to the Principle Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in ANNEX 1 (Details of Processing) to this DPA.
(2.5) Sensitive Data The Parties agree that the Service is not intended for the Processing of Sensitive Data, and that if the Customer wishes to use the Services to Process Sensitive Data, it must first obtain the Processor’s explicit prior written consent and enter into any additional agreements as may be required by Paperturn.
(2.6) CCPA Standard of Care; No Sale of Personal Information Processor acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Processor provides to Customer under the Agreement. Processor shall not have, derive, or exercise any rights or benefits regarding Personal Information Processed on Customer’s behalf, and may use and disclose Personal Information solely for the purposes for which such Personal Information was provided to it, as stipulated in the Principle Agreement and this DPA. Processor certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Information Processed hereunder without Customer’s prior written consent, nor take any action that would cause any transfer of Personal Information to or from Processor under the Agreement or this DPA to qualify as “selling” such Personal Information under the CCPA.
(3.2) Confidentiality of Processing Paperturn shall ensure that any person who is authorised by Paperturn to process Customer Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
(3.3) Updates to Security Measures Customer is responsible for reviewing the information made available by Paperturn relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Paperturn may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
(3.4) Security Incident Response Upon becoming aware of a Security Incident, Paperturn shall:
(i) notify Customer without undue delay, and where feasible, in any event no later than 72 hours from becoming aware of the Security Incident;
(ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and
(iii) promptly take reasonable steps to contain and investigate any Security Incident. Paperturn’s notification of or response to a Security Incident under this Section 3.4 shall not be construed as an acknowledgment by Paperturn of any fault or liability with respect to the Security Incident.
(3.5) Customer Responsibilities Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.
(4.2) Customer’s Audit Rights Paperturn will allow Customer (directly or through a third-party auditor subject to written confidentiality obligations) to verify Paperturn’s compliance with the terms of this DPA if such an audit is required by Data Protection Laws and Paperturn’s compliance cannot be demonstrated by means that are less burdensome on Paperturn (including under Section 4.1). Customer may only perform an audit under this section as follows:
(5.2) List of Current Sub-processors and Notification of New Sub-processors Paperturn’s current list of Sub-Processors used to process Personal Data are available via https://www.paperturn.com/privacy-policy. The Sub-processor List includes the identities of the Sub-processors and their entity’s country. The Customer is deemed to authorise the Processor’s Sub-Processors upon first use of the Services. Paperturn agrees to provide notice to the Customer when adding or making changes to the Subprocessors; this notice will be given via email.
(5.3) Agreements with Sub-processors Paperturn will enter into a written agreement with each Subprocessor that contains data protection obligations equivalent to those in this DPA. Paperturn will be liable for the actions and omissions of its Subprocessors undertaken in connection with Paperturn’s performance under this DPA to the same extent Paperturn would be liable if performing the Services directly.
(5.4) Objection to New Sub-processors The Customer may reasonably object to Paperturn’s use of a new Sub-processor, for reasons relating to the protection of Personal Data intended to be Processed by such Sub-processor, by notifying Paperturn promptly in writing within seven (7) days after receipt of notification of new Sub-Processor. The written objection shall include reasons for objecting to the Processor’s use of such a new Sub-processor. Failure to object to the new Sub-processor in writing within seven (7) days following Processor’s notice, shall be deemed as an acceptance of the new Sub-Processor. In the event the Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, the Processor will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Processor is unable to make available such change within thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA with respect only to those elements of the Services which cannot be provided by Processor without the use of the objected-to new Sub-processor, by providing written notice to Processor. All amounts outstanding under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Processor. Until a decision is made regarding the new Sub-processor, Processor may temporarily suspend the Processing of the affected Personal Data and/or suspend access to the Services. The Customer will have no further claims against the Processor due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
(6.2) Data Protection Impact Assessment Upon Customer’s reasonable request, Paperturn shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR or the UK GDPR (as applicable) to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Paperturn. Paperturn shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 6.2, to the extent required under the GDPR or the UK GDPR, as applicable.
(8.2) Transfers from the EEA, Switzerland and the United Kingdom to Other Countries If the Processing of Personal Data by Processor includes a transfer (either directly or via onward transfer):
(i) from the EEA or Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the GDPR) outside the EEA or Switzerland (“EEA Transfer”), the terms set forth in the Standard Contractual Clauses shall apply;
(ii) from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the UK GDPR) outside the EEA or UK (“UK Transfer”), the terms set forth in the Standard Contractual Clauses, in accordance with Annex III thereto (UK Cross Border Transfers) shall apply;
(iii) the terms set forth in Annex IV to the Standard Contractual Clauses (Additional Safeguards) shall apply to an EEA Transfer and a UK Transfer.
Nature and Purpose of Processing
Paperturn will Process Personal Data as necessary for the following reasons:
Duration of Processing
1. Providing the Services to Customer;
2. Performing the Agreement, this DPA and/or other contracts executed by the Parties;
3. Acting upon Customer’s instructions, where such instructions are consistent with the terms of the Agreement;
4. Sharing Personal Data with third parties in accordance with Customer’s instructions and/or pursuant to Customer’s use of the Services (e.g., integrations between the Services and any services provided by third parties, as configured by or on behalf of Customer to facilitate the sharing of Personal Data between the Services and such third party services);
5. Complying with applicable laws and regulations;
6. Any and all tasks related to any of the above.
Subject to any section of the DPA and/or the Principle Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Paperturn will Process Personal Data pursuant to the DPA and Principle Agreement for the duration of the Principle Agreement, unless otherwise agreed upon in writing.
The personal data transferred concerns the following categories of data subjects: The categories of data subjects whose personal data may be processed in connection with the Subscription Services are determined and controlled by the data exporter in its sole discretion and may include but are not limited to: customers, contacts and prospects of data exporter; affiliates, employees or contractors of data exporter.
Categories of data
The personal data transferred concern the following categories of data:
The categories of personal data are determined by the data exporter in its sole discretion and may include but are not limited to: first and last name; employer; business role; professional title; contact information (e,g., email, phone, physical address); financial information (credit card number, banking details); business network; business experience; business interests; localization data, and; device identification data.
Special categories of data (if appropriate)
The parties do not anticipate the transfer of any special categories of data.
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
a. Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to you; and/or
b. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
a) Access Control
i) Preventing Unauthorised Product Access
- Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
- Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for ISO 27001 compliance, among other Certifications.
- Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
- Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
- Application Programming Interface (API) access: Public product APIs may be accessed using an API key.
ii) Preventing Unauthorised Product Use
We implement industry standard access controls and detection capabilities for the internal networks that support its products.
- Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorised protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
- Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect our Customer’s flipbooks in their flipbook viewer. The WAF is designed to identify and prevent attacks against publicly available network services.
- Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.
iii) Limitations of Privilege & Authorization Requirements
- Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled via specific vaults with encrypted passwords dedicated to specific employees where employees are granted access by role.
b) Transmission Control
In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Paperturn platform. Our HTTPS implementation uses industry standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security.
c) Input Control
Detection: We designed our infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support Personnel are responsive to known incidents.
Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimise product and Customer damage or unauthorised disclosure. Notification to you will be in accordance with the terms of the Agreement.
d) Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability Zones.
Backups: All databases are backed up and maintained using industry standard methods.
Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
Last updated: 1.9.2022