Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the commercial agreement ("Agreement") which was executed by ServiceQUIK Pte. Ltd. (“ServiceQUIK”) and its Partners and the person or entity whose details are indicated in the Business Agent Partner Partner online registration form (“Partner”) to reflect the parties’ addendum on the Processing of Personal Information in accordance with Regulation (EU) 2016/679 (GDPR). 

All capitalized terms not defined herein will have the meaning set forth in the Agreement, the CCPA, PDPA or the GDPR. All terms under the agreement apply to this DPA, except that the terms of this DPA will supersede any conflicting terms under the agreement. 

In the course of providing the service to Client pursuant to the Agreement ( "Service"), ServiceQUIK may Process Personal Information on behalf of the data controller. The parties agree to comply with the following provisions under this DPA with respect to Client's Personal Information processed by ServiceQUIK on behalf of data controller as part of the Services. 

1.1. "Partner"

means any legal entity directly or indirectly controlling, controlled by or under common control with a party to the Agreement, where “control” means the ownership of a majority share of the voting stock, equity, or voting interests of such entity.

1.2. "ServiceQUIK Information Security Documentation"

means the information security documentation applicable to the specific Service purchased by Client, as updated from time to time, and made available by ServiceQUIK upon request.

1.3. "Individual"

means a natural person to whom Personal Information relates, also referred to as "Data Subject" under the GDPR, “individual” under the PDPA or “Consumer” under the CCPA. 

1.4. "Personal Information"

means information about an identified or identifiable individual, including but not limited to the definitions under the CCPA; also referred to as "Personal Data" pursuant to the GDPR and PDPA, which ServiceQUIK Processes under the terms of the Agreement.

1.5. "Personnel"

means the employees, agents, consultants, and contractors of Client and Client's Partners.

1.6. “Privacy Laws and Regulations"

means all applicable US federal and state privacy laws and regulations, including the California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq. (“CCPA”( and Regulation (EU) 2016/679 ("GDPR"), as applicable to the Processing of Personal Data under the Agreement.

1.7. "Privacy Shield"

means the EU-US Privacy Shield Framework, as administered by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016.

1.8. "Privacy Shield Principles"

mean the Privacy Shield Principles, as supplemented by the Supplemental Principles and contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016, as may be amended, superseded or replaced.

1.9. "Process" or "Processing"

means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.

2.1. Scope and Roles:

This DPA applies when Personal Information is Processed by ServiceQUIK as part of ServiceQUIK’s provision of the Service, as further specified in the Agreement. 

2.2. Instructions for ServiceQUIK’s Processing of Personal Information:

ServiceQUIK will only Process Personal Information on behalf of and in accordance with the Client’s instructions. The client instructs ServiceQUIK to Process Personal Information for the following purposes: (i) Processing in accordance with the Agreement, including, without limitation to provide the Service, and for back-up and disaster recovery, analysis, cyber security, operations, control, improvements, and development of ServiceQUIK's Service, fraud and service misuse prevention, legal and administrative proceedings and retention of the Personal Information to provide the Client with an ability to access the data and to reinstate Client's account with ServiceQUIK, provided that the Client did not request the deletion of such data; and (ii) Processing to comply with other reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement and comply with applicable requirements under Privacy Laws and Regulations. Processing outside the scope of this DPA (if any) will require a prior written agreement between ServiceQUIK and Client on additional instructions for processing, including the agreement on any additional fees Client will pay to ServiceQUIK for carrying out such instructions. ServiceQUIK will inform Client promptly, if in ServiceQUIK’s opinion an instruction violates any provision under the GDPR and will be under no obligation to follow such instruction until the matter is resolved in good faith between the parties.

2.3. ServiceQUIK will not 

(1) Sell Personal Information, or 

(2) retain, use or disclose Personal Information (i) for any purpose other than for the specific purpose of performing the Service, or (ii) outside of the direct business relationship between Client and ServiceQUIK, except as permitted under the applicable Privacy Laws and Regulations. ServiceQUIK acknowledges and will comply with the restrictions set forth in this Section 2.3.

2.4. The parties acknowledge and agree 

that the Personal Information that Client discloses to ServiceQUIK is provided to ServiceQUIK for a Business Purpose, and Client does not Sell Personal Information to ServiceQUIK in connection with the Agreement.

3.1.The Client undertakes to 

provide all necessary notices to Individuals and receive all necessary permissions and consents, as necessary for ServiceQUIK to process Personal Information on Client's behalf under the terms of the Agreement and this DPA, pursuant to the applicable requirements under Privacy Laws and Regulations.

3.2. To the extent required

under the applicable requirements under the GDPR, the Client will appropriately document the Individuals' notices and consents. 

4.1. Requests:

ServiceQUIK will, to the extent legally permitted, promptly notify Client if ServiceQUIK receives a request from an Individual, whose Personal Information is included in Client's Personal Information, or a request by the Individual's legal guardians, to exercise the right to access, correct, amend, or delete Personal Information related to the Individual, or to exercise such other personal right that the Individual is entitled to pursuant the applicable requirements under the GDPR.

4.2. Assistance:

ServiceQUIK will provide the Client with commercially reasonable cooperation and assistance in relation to handling the Individual's request, to the extent legally permitted and to the extent the Client does not have access to such Personal Information through its use of the Service. Except if not permitted under the applicable requirements under Privacy Laws and Regulations, the Client will reimburse ServiceQUIK with any costs and expenses related to ServiceQUIK’s provision of such assistance.

5.1. At the Client's written request

ServiceQUIK will cooperate with and make commercially reasonable efforts to assist Client in complying with Client's obligations pursuant to Articles 32 to 36 to the GDPR, taking into account the nature of processing and the information available to ServiceQUIK.

6.1. Limitation of Access:

ServiceQUIK will ensure that ServiceQUIK’s access to Personal Information is limited to that person who requires such access to perform the task. 

6.2. Confidentiality:

ServiceQUIK will impose appropriate contractual obligations upon its personnel engaged in the Processing of Personal Information, including relevant obligations regarding confidentiality, data protection, and data security. ServiceQUIK will ensure that its personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. ServiceQUIK will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel. 

7.1. Partners:

Some or all of ServiceQUIK’s obligations under the Agreement may be performed by ServiceQUIK Partners

7.2. Other Processors:

The client acknowledges and agrees that ServiceQUIK and ServiceQUIK’s Partners respectively may engage third-party service providers (“Other Processors”) in the performance of the Service on the Client's behalf. All Partners and Other Processors to whom ServiceQUIK transfers Personal Information to provide the Service on behalf of Client have entered into written agreements with ServiceQUIK or such other binding instruments that bind them by substantially the same material obligations under this DPA.

7.3. Liability:

ServiceQUIK will be liable for the acts and omissions of its Partners and agents to the same extent that ServiceQUIK would be liable if performing the Service of each Partner or agent directly, under the terms of the Agreement.

7.4. Objection:

To ensure compliance with applicable Privacy Laws and Regulation, Client may object to any engagement by ServiceQUIK with a new another processor (“New Processor”) to Process Client Personal Information on Client's behalf, within five (5) business days following ServiceQUIK's notice to Client of its engagement with the New Processor. If Client sends ServiceQUIK a written objection to the New Processor, ServiceQUIK will make commercially reasonable efforts to provide Client the same level of Service without using the New Processor to Process Client Personal Information. Nothing in this section prejudices the parties rights and obligations under the Agreement. 

8.1. All ServiceQUIK Partners 

and Other Processors to whom ServiceQUIK transfers Personal Information to provide the Service are certified to the Privacy Shield, or provide at least the same level of protection for the Personal Information as is required by the relevant principles of the Privacy Shield and comply with the requirements under the Privacy Shield for the onward transfer of Personal Information to agents, or have executed such other lawful instruments for lawfully transferring Personal Information related to Individuals within the EU to other territories, or are established in a country that was acknowledged by the EU Commission as providing adequate protection to personal data.

9.1. Controls:

ServiceQUIK will maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of the Client's Personal Information according to the ServiceQUIK Information Security Documentation. ServiceQUIK regularly monitors compliance with these safeguards. ServiceQUIK will not materially decrease the overall security of the Service during the term of the Agreement. 

9.2. Policies and Audits:

To the extent required under applicable Privacy Laws and Regulations, ServiceQUIK will allow for and contribute to audits including inspections, conducted by Client or another auditor mandated by Client, in relation to ServiceQUIK’s compliance with its obligations under this Data Processing Addendum up to once per year (“Data Protection and Security Audit”), provided, however, that any Data Protection and Security Audit is subject to the following cumulative conditions: (i) The Data Protection and Security Audit will be pre-scheduled in writing with ServiceQUIK, at least 60 days in advance; (ii) The audit will be conducted by an agreed third-party auditor, who will execute ServiceQUIK’s standard non-disclosure agreement prior to the initiation of the Data Protection and Security Audit, and a third party auditor will also execute a non-competition undertaking; (iii) the auditor will not have any access to non-Client data on ServiceQUIK’s information and network systems; (iv) Client will bear all costs and assume responsibility and liability for the Data Protection and Security Audit and for any failures or damage caused as a result thereof; (v) Client will be eligible to receive the Data Protection and Security Audit report only, without any ServiceQUIK raw data; Client will keep the Data Protection and Security Audit report in strict confidentiality, will use them solely for the specific purposes of the Data Protection and Security Audit under this section, will not use them for any other purpose, or share them with any third party, without ServiceQUIK’s prior explicit written confirmation; and (vi) If Client is required to disclose the Data Protection and Security Audit results to a competent authority, Client will first provide ServiceQUIK with a prior written notice, explaining the details and necessity of the disclosure, and will provide ServiceQUIK with all necessary assistance to prevent the disclosure thereof.

10.1. Breach prevention and management:

ServiceQUIK will maintain security incident management policies and procedures and will, to the extent required by applicable Privacy Laws and Regulations notify Client without undue delay after becoming aware of any unauthorized access to, acquisition of, or disclosure of Client Personal Information, by ServiceQUIK or its Partners or agents of which ServiceQUIK becomes aware of (a “Security Incident”).

10.2. Remediation:

ServiceQUIK will promptly make reasonable efforts to identify and remediate the cause of such a Security Incident.

11.1. Data Deletion:

After the end of the provision of the Service, ServiceQUIK will return the Client's Personal Information to the Client or delete such data, including by de-identifying thereof. For this DPA, the Service includes ServiceQUIK's option to retain Client Data in accordance with ServiceQUIK's privacy policy, following the termination of the Agreement, to allow the Client to re-engage with ServiceQUIK without loss of data and subject to the Client's right, at any time, after the termination of the Agreement to request ServiceQUIK to completely delete Client's Data.

11.2. Data Retention:

Notwithstanding, Client acknowledges and agrees that ServiceQUIK may retain copies of Client Personal Information as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under the applicable law, including to retain data according to legal requirements and to use such data to protect ServiceQUIK, its Partners, agents, and any person on their behalf in court and administrative proceedings.

12.1. ServiceQUIK may disclose

Personal Information (a) if required by a subpoena or other judicial or administrative order or is otherwise required by law, or (b) if ServiceQUIK deems the disclosure necessary to protect the safety and rights of any person or the general public.

13.1. ServiceQUIK may process data

based on extracts of Personal Information on aggregated and non-identifiable forms, for ServiceQUIK's legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at ServiceQUIK's discretion, provided that such data cannot reasonably identify an Individual. Section 13 will survive any termination of this DPA.

14.1. This DPA will commence 

on the same date that the Agreement is effective and will continue until the Agreement has expired or terminated, pursuant to the terms therein.

15.1. ServiceQUIK's compliance team

Is responsible to make sure that all relevant ServiceQUIK personnel adheres to this DPA.

15.2. ServiceQUIK's compliance team 

can be reached at: dpo@servicequik.com.

16.1. Each Party will create 

an escalation process and provide a written copy to the other Party within five (5) business days of any dispute arising out of or relating to this DPA. The escalation process will be used to address disputed issues related to the performance of this DPA, including but not limited to technical problems. The Parties agree to communicate regularly about any open issues or process problems that require prompt and accurate resolution as outlined in their respective escalation process documentation. The Parties will attempt in good faith to resolve any dispute arising out of or relating to this DPA, before and as a prior condition for commencing legal proceedings of any kind, first as set forth above in the escalation process and next by negotiation between executives who have authority to settle the controversy and who at a higher level of management than the persons with direct responsibility for the administration of this DPA. Any Party may give the other party written notice of any dispute not resolved in the normal course of business. Within five (5) business days after delivery of the notice, the receiving Party shall submit to the other a written response. The notice and the response will include (a) a statement of each Party’s position and a summary of arguments supporting that position and (b) the name and title of the executive who will represent that party and of any other person who will accompany the executive. Within fifteen (15) business days after delivery of the disputing Party’s notice, the executives of both Parties shall meet at a mutually acceptable time and place, including telephonically, and thereafter as often as they reasonably deem necessary, to attempt to resolve the dispute. All reasonable requests for information made by one Party to the other will be honored. All negotiations according to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.

17.1. Any alteration or modification

 of this DPA is not valid unless made in writing and executed by duly authorized personnel of both parties.

17.2. Invalidation of one or more 

of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives