If you prefer a mroe traditional file format, you can download the Data Processing Addendum as a PDF.
This Data Processing Addendum (“Addendum”) governs Dubrink’s processing of Personal Data under the Master Subscription Agreement (“MSA”) and applicable Data Protection Laws. This Addendum is incorporated into the MSA and takes precedence in matters of data protection. All other provisions, including Governing Law and Dispute Resolution, are governed by the MSA.
Capitalized terms used in this Addendum shall have the meanings set forth below.
“Authorized Affiliates” means the Customer’s Affiliate(s) which is bound by the terms of this Data Processing Addendum, that is subject to the Data Protection Laws of the European Union (“EU”), the European Economic Area (“EEA”) and/or their Member States, Switzerland and/or United Kingdom, and/or all other applicable Data Protection Laws and is permitted to use the Services pursuant to the MSA executed between the Customer and Dubrink but has not signed its own Order with Dubrink, being Customer is responsible for ensuring that Affiliate(s) is aware of the Processing activities that may be carried out by Dubrink and that all authorizations from Affiliate(s) for such processing activity are collected.
“Breach Event” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Dubrink.
“Controller” means the Customer or any of its Authorized Affiliates or any other entity that the Customer appoints to provide instructions to Dubrink as the natural or legal person who determines the purposes and means of Processing of the Personal Data.
“Customer’s Personal Data” means any Personal Data Processed by Dubrink or another Sub-Processor on behalf of the Customer, which is transmitted to or given access to Dubrink by the Customer pursuant to or in connection with the MSA.
“Data Subject” means the identified or identifiable natural person whose Personal Data is Processed.
“Data Protection Laws” means all applicable data protection and privacy laws and regulations, including, where applicable, the General Data Protection Regulation (GDPR), UK Data Protection Act, Swiss Federal Act on Data Protection, U.S. state privacy laws (e.g., CCPA, CPRA), and any other laws governing the processing of Personal Data in jurisdictions where the Customer operates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
“List of Sub-Processors” means the list of Sub-processors engaged by Dubrink as made available in Annex II.
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as well as the categories of data referred to in Annex I (“Processing Activities”), which may be supplied to and Processed by Dubrink on behalf of the Controller pursuant to or in connection with the MSA.
“Personnel” means Dubrink’s employees or other individuals with a contractual relationship with Dubrink.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means Dubrink as the legal person who processes Personal Data on behalf of the Controller.
“Restricted Transfers” means the transfer of Personal Data to countries that do not ensure an adequate level of data protection within the meaning of Data Protection Laws, to the extent such transfers are subject to such Data Protection Laws. Restricted Transfers include transfers of Customer’s Personal Data to Dubrink and onward transfers of Customer’s Personal Data from Dubrink to a Sub-Processor and from a Sub-Processor to another Sub-Processor or between two establishments of a Sub-Processor.
“Services” means the Dubrink Platform provided on cloud (platform as a service) and the Support and Updates jointly provided through a Subscription and/or the Professional Services provided by Dubrink, as defined in the MSA.
“Standard Contractual Clauses” (SCCs) means the standard contractual clauses approved by the European Commission Decision 2021/914 of 4 June 2021, or any subsequent updates or replacements thereof, for the transfer of personal data to third countries under Regulation (EU) 2016/679 (GDPR).
Where applicable, the SCCs shall include the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office (“UK SCCs”).
The applicable SCCs shall be incorporated by reference and deemed executed between the Parties where required for compliance with applicable Data Protection Laws.
“Sub-Processor” means an entity engaged by the Processor exclusively for the Processing activities to be carried out pursuant to or in connection with this Addendum and the MSA on behalf of the Customer and in accordance with its instructions, as transmitted by the Customer.
“Third-Party Services” means certain services and applications, including Non-Dubrink Applications and Add-ons, operated by third parties chosen and directly contracted by Customer, that integrate with the Services. The providers of said Third Party Services are not Dubrink Sub-Processors.
The parties acknowledge and agree that:
The Customer is the Controller of Personal Data and determines the purposes and means of its processing.
Dubrink acts as the Processor and processes Personal Data solely to comply with the CBAM Regulation and for the purposes described in this section.
The Customer may engage a Partner to act on its behalf. In such cases:
The Partner shall be considered as acting under the Customer’s authority.
Dubrink may also act as a Partner, in which case it will process Personal Data strictly within the scope of its role as a Processor under this Addendum.
For customers outside the EU/EEA, Dubrink shall comply with applicable data protection laws in those jurisdictions where such laws impose similar obligations to GDPR. Where no specific regulation applies, Dubrink shall process data in accordance with recognized industry best practices.
For the purpose of fulfilling its obligations under the CBAM Regulation, Dubrink is authorized to contact relevant Supply Chain Stakeholders.
This includes collecting only the necessary data and information related to CBAM compliance.
Dubrink shall process this data strictly in accordance with this Addendum and applicable data protection laws.
Customer is solely responsible for assessing its use of the Services in light of applicable data protection laws and regulatory requirements in its jurisdiction.
Customer acknowledges that it remains fully responsible for ensuring its compliance with such laws, including the lawful collection, processing, and transfer of Personal Data to Dubrink.
Customer guarantees that it has the necessary rights and legal basis to process and share any Personal Data or other information provided to Dubrink.
Dubrink shall not be liable for any unlawful or unauthorized processing of data submitted by the Customer, including but not limited to data related to Tier 2 or other indirect suppliers.
Prior to executing the MSA, the Customer shall conduct its own legal analysis to determine whether its use of the Services aligns with applicable data protection laws.
The subject matter of the Processing of Personal Data by Dubrink is the provision of services under the MSA.
The nature and purpose of the Processing, the categories of Data Subjects, and the types of Personal Data Processed under this Data Processing Addendum are further specified in Annex I.
The Processing of Personal Data shall continue for the duration of the MSA, unless otherwise required by law or agreed upon in writing by the Parties.
Upon termination of the MSA, Dubrink shall delete Personal Data without undue delay and in accordance with applicable laws.
Dubrink implements and maintains appropriate technical, organizational, and administrative security measures to protect Personal Data against accidental or unlawful loss, misuse, unauthorized access, disclosure, alteration, and destruction.
Dubrink continually improves its security measures in line with technological advancements and evolving security threats.
Dubrink enforces strict access controls to ensure that Personal Data is only accessible to authorized individuals who require such access to perform their specific duties or tasks (need-to-know principle).
Access to Personal Data is monitored, logged, and reviewed to prevent unauthorized access and detect anomalies.
Dubrink is aligned with ISO 27001 standards and is in the process of obtaining ISO 27001 certification.
Until certification is finalized, Dubrink continues to adhere to industry best practices for information security, data protection, and regulatory compliance.
Dubrink ensures that any Personnel with access to or involved in the Processing of Customer’s Personal Data is subject to binding confidentiality obligations, whether through employment contracts, professional duties, or statutory requirements.
Dubrink shall provide reasonable assistance to the Customer in responding to notifications from a Supervisory Authority, to the extent required by applicable Data Protection Laws and relevant to Dubrink’s role as a Processor.
Dubrink may charge a reasonable administrative fee for requests that require substantial effort beyond standard compliance obligations.
In the event of a Breach Event, Dubrink shall provide the Customer with necessary and proportionate assistance, including:
Dubrink’s obligations under this section shall be limited to what is required under applicable law and shall not extend to tasks that are the responsibility of the Customer.
Dubrink shall, upon reasonable request, provide the Customer with relevant available information regarding the Processing of Personal Data under this Addendum.
Dubrink shall use commercially reasonable efforts to ensure that its Sub-Processors also comply with this obligation.
Dubrink shall not be required to create or maintain records solely for the purpose of fulfilling Customer requests unless legally required.
Dubrink shall reasonably assist the Customer with obtaining regulatory approvals or fulfilling notification obligations where required by law.
Upon written request, Dubrink shall provide available information reasonably necessary for the Customer to conduct a Data Protection Impact Assessment (DPIA) related to the use of Dubrink’s Services. However, Dubrink shall not be required to conduct a DPIA on the Customer’s behalf.
Any mitigation actions resulting from a DPIA shall be subject to mutual agreement and commercially reasonable efforts by both Parties.
Assistance beyond what is legally required may be subject to additional costs and must be mutually agreed upon in writing.
Dubrink shall, to the extent legally permitted, notify the Customer without undue delay if it receives a request from a Data Subject to exercise their rights under applicable Data Protection Laws (e.g., right of access, rectification, restriction, erasure, data portability, objection to processing, or exemption from automated decision-making).
Considering the nature of the Processing, Dubrink shall provide reasonable assistance to the Customer in fulfilling its obligation to respond to a Data Subject Request, where the request relates to Personal Data processed by Dubrink on behalf of the Customer. Any assistance beyond standard compliance obligations shall be subject to the terms outlined in Section 6.2(ii).
Unless prohibited by law, Dubrink shall notify the Customer without undue delay if it receives any communication, correspondence, or request for information (whether written or oral) from any regulatory or judicial authority relating directly to the Processing of Personal Data on behalf of the Customer, including enforcement actions or investigations under applicable Data Protection Laws.
Dubrink shall use commercially reasonable efforts to ensure that its Sub-Processors also comply with this obligation.
Where permitted by law, Dubrink shall provide relevant details of the request to the Customer, but may redact or limit disclosure where legally required.
Any assistance beyond legally required obligations may be subject to additional costs and must be mutually agreed upon in writing.
Dubrink shall process Personal Data in accordance with the Customer’s instructions and take reasonable steps to maintain the accuracy and integrity of Personal Data as provided by the Customer.
Upon written request from the Customer, Dubrink shall update, amend, correct, or delete Personal Data that is inaccurate or incomplete, to the extent required under applicable Data Protection Laws and technically feasible.
Dubrink shall use commercially reasonable efforts to ensure that its Sub-Processors also comply with this obligation.
Upon termination or expiration of the MSA, Dubrink shall, upon written request from the Customer, delete or return all Personal Data processed on behalf of the Customer, except to the extent that retention is required by applicable Data Protection Laws.
Dubrink shall use commercially reasonable efforts to ensure that its Sub-Processors comply with this obligation.
Where deletion is requested, Dubrink shall delete Personal Data from its systems within a commercially reasonable timeframe, taking into account technical constraints, backup cycles, and legal obligations. Secure deletion of hard copies shall be performed where applicable.
If the Customer does not provide deletion or return instructions within 30 days after termination, Dubrink may securely delete the Personal Data in accordance with its data retention policies, unless otherwise required by law.
Dubrink shall notify the Customer without undue delay and within seventy-two (72) hours after becoming aware of any Breach Event, in accordance with applicable Data Protection Laws. Where and in so far as it is not possible to provide all relevant information at the same time, the information may be provided in phases without undue delay.
Dubrink shall fully and promptly cooperate with the Customer in satisfying its obligations with respect to a Breach Event, as determined by the applicable Data Protection Laws.
The Customer hereby authorizes Dubrink to engage Sub-Processors. The Sub-Processors engaged must ensure compliance with the requirements and/or obligations foreseen in the Data Protection Laws and this Addendum.
Dubrink will update the List of Sub-Processors when necessary and notify the Customer accordingly. In case Dubrink updates the List of Sub-Processors, Customer shall be promptly notified of such fact, and shall be given the opportunity to reasonably object to such change within 30 days counting from Dubrink’s notification. Customer accepts to be informed of the amendments to the List of Sub-processors by email.
If within thirty (30) days, the Customer notifies Dubrink of a reasonable objection to the proposed appointment, the Parties shall work together to make available a commercially reasonable change in the provision of the Services that avoids the use of that Sub-Processor. If such a solution is not feasible and the Customer does not wish to proceed, the Customer may terminate the affected Services by providing written notice within thirty (30) days of Dubrink’s response. In such cases, the Customer shall be entitled to a pro-rata refund for any prepaid fees covering the remaining period of the Subscription.
Dubrink may engage Sub-Processors to assist in providing the Services under this Addendum.
Dubrink shall ensure that any Sub-Processor agreement:
Includes appropriate data protection obligations that provide a comparable level of protection to that set out in this Addendum, in accordance with applicable Data Protection Laws.
Requires the Sub-Processor to process Personal Data only on behalf of Dubrink and in accordance with Dubrink’s instructions, which reflect the Customer’s instructions.
Dubrink remains responsible for ensuring that its Sub-Processors comply with applicable data protection obligations.
The Customer undertakes not to make any Personal Data available to Dubrink while procuring and in the context of Dubrink’s Support services and in the context of the provision of Professional Services directly by Dubrink.
If Customer subscribes to any Third-Party Services, even if they have some interaction with the Services, Customer shall perform its own due diligence from a data protection, privacy and security perspective. Said Third-Party Services providers are not Dubrink Sub-Processors and Dubrink is not liable for the processing of Customer’s Personal Data by Third-Party Providers.
Where the Sub-Processor fails to fulfil its data protection obligations, Dubrink will remain liable to the Customer for the performance of such Sub-Processor’s obligations.
Dubrink shall, upon request, make available to the Customer information reasonably necessary to demonstrate compliance with this Data Processing Addendum.
Dubrink shall, upon written request and no more than once every two (2) years, provide the Customer with relevant documentation to demonstrate compliance with applicable Data Protection Laws.
If an audit is required by a Supervisory Authority or due to a confirmed data breach, Dubrink shall allow the Customer to conduct a remote audit limited to security and privacy compliance. Any such audit must:
Be scheduled with at least sixty (60) days’ prior written notice,
Be conducted remotely (unless an on-site audit is strictly required by law),
Be carried out without disrupting Dubrink’s business operations,
Maintain confidentiality obligations,
Be at the Customer’s sole expense, including Dubrink’s time at its then-current professional services rates, payable in advance of the audit.
Once Dubrink obtains ISO 27001 certification, the provision of ISO 27001 audit reports shall satisfy audit requirements in lieu of direct customer audits.
The Parties agree that if any Restricted Transfer occurs, it shall be subject to an appropriate transfer mechanism under applicable Data Protection Laws, including but not limited to:
An adequacy decision by the European Commission, or
The Standard Contractual Clauses (SCCs), as applicable.
Where applicable, the Standard Contractual Clauses (SCCs) shall be incorporated by reference and deemed executed between the Parties as required under applicable Data Protection Laws.
Dubrink shall not Process Personal Data outside the EU/EEA unless such Processing is conducted in compliance with an adequate transfer mechanism.
Dubrink’s Sub-Processors (listed in Annex II) include service providers located in countries outside the EU/EEA, including the United States, where data transfers are safeguarded through these legally recognized mechanisms.
Liability under this Addendum is subject to the ‘Limitation of Liability’ section of the MSA.
Any notice, consent, or other communication under this Addendum (“Notice”) must be in writing and sent either by email or registered mail. Notices to Dubrink shall be sent to [email protected], and Notices to the Customer shall be sent to the email address provided by the Customer. Notices sent by email shall be deemed effective upon receipt, unless received outside business hours, in which case it will be deemed effective the next business day on the date of receipt or, if delivery is refused, the date of such refusal. Notices must be sent to the contacts listed in the signature section of this Addendum, and either Party may update its Notice address by notifying the other Party in accordance with this clause. All Notices must be in English.