Data Processing Agreement

This Customer Data Processing Agreement (DPA) is part of the requirements of the European Data Protection Regulation (GDPR) and is an addendum to our Hosting Terms of Service (TOS) and Affiliate Program Agreement.

Definitions

Controller: Entity who determines the purpose and means of processing Personal Data.
Customer Data: Data that SmarterASP.net processes on behalf of Customer.
Personal Data: Data relating to an identified or identifiable natural person.
Processor: Entity that processes Personal Data on behalf of Customer.
Security Incidents: Unauthorized and/or unlawful breach of security leading to accidental and/or unlawful destruction, alteration, loss, unauthorized disclosure of or access to Personal Data.
Subprocessor: Processors used by SmarterASP.net to fulfill its obligations in providing the Service.

Scope

This DPA applies only to the extent that SmarterASP.net processes Personal Data on behalf of the Customer in the course of providing the Service and in the case such Personal Data is subject to Data Protection Laws of the European Union (EU).

In this DPA, the Customer is the Controller of Personal Data and SmarterASP.net will process Personal Data only as a Processor on behalf of Customer. Nothing in this DPA prevents SmarterASP.net from using any data that SmarterASP.net collects and processes independently of Customer's use of the Service.

As a Controller, Customer agrees that they will comply with its obligations under Data Protection Laws in respect to their processing of Personal Data and any processing instructions they issue to SmarterASP.net; and that they have obtained consents and rights necessary under Data Protection Laws for SmarterASP.net to process Personal Data and provide the Service.

As a Processor, SmarterASP.net will process Personal Data only for the following purposes:
- processing to perform the Service in accordance with the TOS; and
- to comply with other reasonable instructions provided by Customer.

SmarterASP.net handles Customer Data provided by Customer and the Customer Data may contain special categories of data depending on how the Service is used by Customer. The Customer Data may be subject to the following process activities:
- storage and other processing necessary to provide and improve the Service;
- to provide customer and technical support to Customer; and
- disclosures as required by law or otherwise set forth in the TOS.

Customer acknowledges that SmarterASP.net has the right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Service for its legitimate business purposes (e.g., billing, technical support, product development..etc.). For data that is considered personal data under Data Protection Laws, SmarterASP.net will process such data in compliance with Data Protection Laws.

Subprocessing

Customer agrees that SmarterASP.net may engage Subprocessors to process Personal Data on Customer's behalf. You may request a list of Subprocessors currently engaged by SmarterASP.net.

When engaging with a Subprocessor, SmarterASP.net will
- enter into a written agreement with the Subprocessor which imposes data protection terms that require the Subprocessor to protect Personal Data to the standards required by Data Protection Laws; and
- remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause SmarterASP.net to breach any of its obligations under this DPA.

SmarterASP.net shall provide Customer reasonable advance notice via email if it adds or removes Subprocessors.

Customer may object to SmarterASP.net’s engagement with a new Subprocessor on reasonable grounds relating to data protection by notifying SmarterASP.net in writing within five (5) days of receipt of SmarterASP.net's notice. The notice should reasonably explain the grounds for the objection. The parties will discuss such concerns in good faith with the goal of achieving a reasonable resolution. If a resolution is not possible, either party may terminate the applicable Service related to the use of the Subprocessor.

Security

SmarterASP.net will implement and maintain appropriate security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data.

SmarterASP.net will ensure that any person who is authorized by SmarterASP.net to process Personal Data (e.g., SmarterASP.net staff, subcontractors) will be under an appropriate obligation of confidentiality.

In the event of a Security Incident, SmarterASP.net will notify Customer without undue delay and will provide timely information relating to the Security Incident as it becomes known.

Customer acknowledges that the security measures evolve and that SmarterASP.net may update or modify the security measures from time to time.

International Transfers

Customer Data may be transferred and processed in the United States and anywhere in the world where Customer and/or its Subprocessors maintain data processing operations. SmarterASP.net will implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.

Return and Deletion of Data

Customers have access to their uploaded files and databases and can download them. If Customer has any issues with downloading their content, they can contact our Technical Support for assistance. Upon deactivation of a SmarterASP.net Service, all Personal Data will be deleted, except for data which is required to be retained by applicable law, or Personal Data that is archived on backup systems (which are securely isolated and protected from further processing.

Cooperation

If Customer is unable to independently access the specific Personal Data within the Service in response to requests from individuals or data protection authorities, SmarterASP.net will (at Customer's expense) provide reasonable cooperation to assist Customer, if possible. In the event that any such request is made directly to SmarterASP.net, SmarterASP.net will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If SmarterASP.net is required to respond to such a request, SmarterASP.net will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

To the extent SmarterASP.net is required under Data Protection Law, SmarterASP.net will (at Customer's expense) provide reasonably requested information regarding SmarterASP.net’s processing of Personal Data under the TOS to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

Miscellaneous

Except for the changes made by this DPA, the TOS remains unchanged and in full force and effect. If there is any conflict between this DPA and the TOS, the DPA will prevail to the extent of that conflict.

This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the TOS, unless required otherwise by Data Protection Laws.

Last updated May 21st, 2019.