Data Processing Agreement
Last modified:
April
2022
1. Data Processing Agreement
1.1. This Data Processing Agreement (“DPA”) applies sets forth the data processing rights and obligations for the Platform. This SLA is entered into by and between Customer and Ecolab Inc. (“Ecolab”). Ecolab’s obligations may be carried out by Lobster Ink, a division of Ecolab.
2. Definitions
In this DPA the following terms have the following meanings:
2.1 “Applicable Laws” means (to the extent they apply to Ecolab) the laws of the European Union, the law of any member state of the European Union and/or any domestic laws applicable to Ecolab.
2.2 “Data Protection Legislation” means the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), any other directly applicable European Union regulation relating to privacy, and any domestic data protection legislation directly applicable to Ecolab or Customer (including the UK Data Protection Act 2018).
2.3 "Personal Data" means any information relating to an identified or identifiable individual which information is subject to the Data Protection Legislation and exchanged between the Parties as a part of the Services provided in the Agreement.
2.4 “Controller”, “Data Subject”, “Processor” and “Processing” have the meanings as defined in the GDPR.
3. Data Protection
3.1 Both Parties will comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove or replace a Party's obligations under the Data Protection Legislation.
3.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, Customer is the Controller and Ecolab is the Processor. Schedule 1 below sets out the scope, nature and purpose of processing by Ecolab, the duration of the Processing, the types of Personal Data, and categories of Data Subject.
3.3 Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Ecolab for the duration and purposes of the Agreement.
3.4 Ecolab will, with respect to any Personal Data processed in connection with the performance of its obligations under the Agreement:
(a) process that Personal Data only on the reasonable written instructions of Customer unless Ecolab is required by Applicable Laws to otherwise process that Personal Data (in which case Ecolab will notify Customer, unless the law prohibits providing such notice). Customer hereby instructs Ecolab to process Personal Data to the extent necessary to perform its obligations under the Agreement. Ecolab shall immediately inform Customer if, in its reasonable opinion, an instruction from Customer infringes Data Protection Legislation or other Applicable Laws;
(b) taking into account industry standard, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for impact on the individuals to whom the Personal Data relates, ensure that it has in place appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk as identified in Article 32 of the GDPR, considering, in particular the risks associated with unauthorised or unlawful processing of Personal Data and accidental loss or destruction of, or damage to, Personal Data;
(c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(d) notify Customer without undue delay on becoming aware of a Personal Data breach;
(e) taking into account the nature of the processing and information available to Ecolab, make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow and contribute to audit, including inspections, conducted by Customer or another auditor mandated by Customer, as may be required by Data Protection Legislation, such audits to be held as far as reasonably possible at times, mutually agreed by both Parties, that are convenient to Ecolab and do not disrupt the day to day business activities of Ecolab;
(f) taking into account the nature of the processing and information available to Ecolab, reasonably assist Customer in responding to a Data Subject request and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, impact assessments and consultations with supervisory authorities or regulators;
(g) reasonably cooperate with Customer and take such reasonable commercial steps as are requested in writing by Customer to assist it in the investigation, mitigation and remediation of a Personal Data breach; and
(h) at the written direction of Customer, delete or return Personal Data and copies thereof to Customer on termination or expiration of the Agreement unless required by Applicable Law to store the Personal Data. If Customer fails to provide direction with regard to such Personal Data within a reasonable time, not to exceed sixty (60) days following such termination or expiration, then Ecolab may retain or destroy such Personal Data without liability with respect thereto.
3.5 Customer shall reimburse Ecolab for the cost of any assistance offered to Customer as described in this DPA (e.g. in Section 3.4) beyond what is reasonable taking into account the nature of the Processing.
3.6 Customer consents to Ecolab appointing subprocessors of Personal Data under the Agreement in order for Ecolab to perform its obligations under the Agreement as described in the List of Sub-Processors (which is available at https://lobsterink.com/legal/subprocessors/). Ecolab confirms that it has entered (or will enter) into written agreements with the sub-processors listed imposing the relevant obligations required by the Data Protection Legislation.
3.7 Customer acknowledges that from time to time during the term of the Agreement, Personal Data will be transferred to third countries. To facilitate transfer of Personal Data to third countries, the Parties agree to enter into the EU Standard Contractual Clauses:
(a) Customer, as "data exporter", and Ecolab, as "data importer", hereby enter into, as of the Effective Date, the Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries, Regulation (EU) 2016/679 (the "SCCs") (the text of which is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en) which are incorporated by this reference and constitute an integral part of this DPA. The Parties are deemed to have accepted and executed the SCCs in their entirety, including the appendices.
(b) In cases where the SCCs apply and there is a conflict between the terms of the DPA and the terms of the SCCs, the terms of the SCCs shall apply.
(c) The information contained in this DPA including its Schedule 1 shall fulfil the requirements of the SCCs Annex 1 (Description of Processing) and Annex 3 (List of Sub-Processors).
(d) The terms of the Security Annex, available from Ecolab upon request, shall fulfil the requirements of the SCCs Annex 2 (Technical and Organizational Measures).
4. Customer Obligations
Customer agrees that:
4.1 It will comply with its obligations under the Data Protection Legislation;
4.2 All of the Personal Data provided by it (or on its behalf) to Ecolab will be collected and provided in accordance with the Data Protection Legislation;
4.3 Ecolab’s processing of such Personal Data in accordance with this Agreement will not put Ecolab in breach of the Data Protection Legislation;
4.4 If in its reasonable opinion Ecolab needs to revise this DPA in order to comply with the Data Protection Legislation, Customer agrees to enter into a written variation to make the amendments which in Ecolab’s reasonable opinion are required.
SCHEDULE 1: PROCESSING, PERSONAL DATA AND DATA SUBJECTS
1. Processing by Ecolab
1.1 Scope
Processing of Data Subjects’ Personal Data for the purpose of providing online training services and associated reporting and support as described in the Agreement or other applicable documentation.
1.2 Nature
For the purpose of providing the Services.
1.3 Purpose of processing
Hosting, reporting, customer support or as otherwise described in the Agreement or other applicable documentation.
1.4 Duration of the processing
For the duration required in order to provide the Services unless required by Applicable Law to store the Personal Data for longer.
2. Types of personal data
Names, email addresses, job roles, employee numbers, telephone numbers.
3. Categories of data subject
Any individual accessing and/or using the Services through Customer's subscription (Users).
Purpose/Activity
Type of data
Lawful basis for processing including basis of legitimate interest
Manage our relationship with you (e.g., responding to your communications, notifying you about changes to our privacy policy)
- Identity
- Contact
- Marketing and Communications
- Necessary for our legitimate interests
- Necessary to comply with a legal obligation
- Performance of a contract
Provide you with information that you have requested from us
- Identity
- Contact
- Marketing and Communications
- Necessary for our legitimate interests
- Your consent
Administer and protect our business and the Website (e.g., troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)k
- Identity
- Contact
- Technical
- Necessary for our legitimate interests
- Necessary to comply with a legal obligation
Deliver relevant Website content to you and measure or understand the effectiveness of the content we serve to you
- Identity
- Contact
- Technical
- Usage
- Marketing and communications
- Necessary for our legitimate interests
Use data analytics to improve the Website, products/services, marketing,customer relationships and experiences
- Technical
- Usage
- Necessary for our legitimate interests
To make suggestions and recommendations to you about products or services that may be of interest to you
- Identity
- Contact
- Technical
- Usage
- Marketing and Communications
- Necessary for our legitimate interests
Infrastructure Subprocessors (data storage)
Entity Name
Purpose
Entity Country
Data Storage Location
Microsoft Corporation (Microsoft Azure)
Provisioning and operations of infrastructure services (PaaS), including CDN, WAF, Network acceleration
United States
EU
Amazon.com, Inc. (AWS)
Provisioning and operations of infrastructure services (PaaS), CDN only
United States
EU
Service Specific Subprocessors (data processors)
Entity Name
Purpose
Entity Country
Data Storage Location
Mandrill
Cloud-based email delivery service providing the ability to send transactional emails
United States
US
Twilio Inc.
Cloud-based email and text message delivery service providing the ability to send transactional messages and transactional emails
United States
US
Zendesk
Provides customer support ticket handling capabilities
United States
US
Mixpanel
Third-party analytics platform used to analyze behaviour of users on Lobster Ink's platforms
United States
EU
Logshero Ltd.
Cloud-based service to capture and store infrastructure log flies
Israel
EU
Functional Software Inc. (Sentry)
Cloud-based service to capture and store application log files
United States
US
Elasticsearch B.V.
Cloud-based service to capture, store, perform real-time search and analyze application events
United States
EU
Hotjar Ltd.
Cloud-based user behavior analytics tool
Malta
EU
Microsoft Corporation (PowerBI)
Cloud-based data and analytics reporting service
United States
US
Lobster Ink and its affiliates (data processing)
Entity Name
Purpose
Entity Country
Nalco Europe BV
Service maintenance and technical support
NL
Lobster Ink Africa
Technical support
SA
Issues Types
Priority
Definition
Symptoms
1
System is non-operational
Prevents all Users from:
- Logging in
- Completing lessons
- Completing any assessments
- Generating any reports
2
System is partially non-operational with no workaround available.
Prevents a material number of Users from:
- Logging in
- Completing lessons
- Completing any assessments
- Generating any reports
3
Partial system failure that moderately affects usage. Workaround available.
Intermittent video playback issues.
4
Issue that causes minimal disruption to a User
Degraded response times.
Display issues on specific browsers.
Response Times
Priority
Response Time
Resolve Time Objective
1
45 minutes
6 hours
2
2 hours
12 hours
3
4 hours
Ticket update every 48 hours until a resolution time is available.
4
4 hours
Ticket update every 48 hours until a resolution time is available.