Data Processing Agreement
Last updated: .
Introduction and Scope
- This DPA is a binding agreement between Galexia Creative Agency Ltd and its Clients, but only to the extent that (a) Galexia Creative Agency Ltd Processes Client Personal Data (defined below) for or on behalf of the Client pursuant to the Agreement (b) and the Data Protection Laws apply to such Client Personal Data. By using our Services in any way, you are agreeing to the terms of this DPA.
Capitalized terms which are not defined herein shall have the meaning provided elsewhere in the Agreement. In addition, the following defined terms apply solely with respect to this DPA.
- “Controller“, “Processor“, “Data Subject“, “Processing“, “Personal Data“, and “Personal Data Breach” shall have the meanings ascribed to them in Data Protection Laws.
- “Client Personal Data” means any Personal Data subject to the Data Protection Laws that Client provides, transfers, or makes accessible to Galexia Creative Agency Ltd in connection with the Services.
- “Data Protection Laws” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and any similar or related implementing legislation by European Union member states, the United Kingdom, or Switzerland.
Roles of the Parties
- Client is the Controller and Galexia Creative Agency Ltd is the Processor with respect to Client Personal Data. Galexia Creative Agency Ltd shall only Process Client Personal Data in accordance with Client’s documented instructions, which include the provisions of the Agreement, unless otherwise required to comply with any Data Protection Laws. We will inform you if, in our opinion, your instructions violate the Data Protection Laws.
- Client and Galexia Creative Agency Ltd shall comply with the Data Protection Laws. Client shall obtain any required authorizations, consents, releases, or permissions, and provide all required privacy notices, regarding the Client Personal Data. For the avoidance of doubt, Client shall have sole responsibility for the accuracy, quality, and legality of all Client Personal Data and the bases on which it is collected from the Data Subject.
Nature, Purpose, and Duration of Processing
- Galexia Creative Agency Ltd will Process Client Personal Data as necessary to perform the Services – which is generally limited to hosting of Client websites – or to protect Galexia Creative Agency Ltd’s legal rights, for the duration of the Agreement, unless otherwise agreed upon in writing. Client’s transfer of Client Personal Data to Galexia Creative Agency Ltd in connection with the Services is determined and controlled by Client in its sole discretion.
- Galexia Creative Agency Ltd may Process the following categories of Client Personal Data: any Personal Data collected, used, or otherwise Processed from End Users of Client Websites.
- Galexia Creative Agency Ltd may Process Client Personal Data from the following categories of Data Subjects: End Users of Client Websites.
- Galexia Creative Agency Ltd engages third-party subcontractors that Process Client Personal Data (“Sub-processors“) for the purposes of providing the Services. A current list of Sub-processors is available below in Appendix A. Client authorizes Galexia Creative Agency Ltd to engage these Sub-processors for the purpose of providing the Services.
- Galexia Creative Agency Ltd may update the list of Sub-processors in Appendix A from time to time, and such updates shall be the sole means of providing notice of Sub-processor changes to Client. Client is responsible for regularly checking and reviewing the list of Sub-processors in Appendix A. Client’s failure to object in writing to a new Sub-processor within fourteen (14) days of Galexia Creative Agency Ltd’s posting of the new Sub-processor shall constitute Client’s authorization of the new Sub-processor.
- If Galexia Creative Agency Ltd determines in its sole discretion that it cannot reasonably accommodate Client’s timely objection to a Sub-processor, upon notice from Galexia Creative Agency Ltd, Client may choose to terminate the Agreement pursuant to the termination provisions in the Terms of Service, which shall be Client’s sole and exclusive remedy.
- Galexia Creative Agency Ltd shall impose obligations on its Sub-processors that are the same as or substantially equivalent to those set out in this DPA by way of written contract. Galexia Creative Agency Ltd shall be liable to Client for the Sub-processors’ performance of its data protection obligations with respect to Client Personal Data.
Security and Impact Assessments
- Galexia Creative Agency Ltd shall ensure that its personnel are subject to binding obligations of confidentiality with respect to Client Personal Data.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Galexia Creative Agency Ltd shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
- Taking into account the nature of Processing and the information available to Galexia Creative Agency Ltd, Galexia Creative Agency Ltd shall assist the Client in ensuring compliance with Client’s obligations under the Data Protection Laws with respect to security, impact assessments, and consultations with supervisory authorities or regulators.
Personal Data Breach
- Taking into account the nature of Processing and the information available to Galexia Creative Agency Ltd, Galexia Creative Agency Ltd shall assist the Client in ensuring compliance with Client’s obligations under the Data Protection Laws with respect to a Personal Data Breach.
- In the event of a discovered Personal Data Breach, Galexia Creative Agency Ltd shall provide prompt notice to Client’s using those means established for routine communications.
- Our notice shall include the following information to the extent it is reasonably available to Galexia Creative Agency Ltd at the time of the notice, and Galexia Creative Agency Ltd shall update its notice as additional information becomes reasonably available: (a) the dates and times of the Personal Data Breach; (b) the basic facts that underlie the discovery of the Personal Data Breach, or the decision to begin an investigation into a suspected Personal Data Breach, as applicable; (c) a description of the Client Personal Data involved in the Personal Data Breach, either specifically, or by reference to the data set(s), and (d) the measures planned or underway to remedy or mitigate the vulnerability giving rise to the Personal Data Breach.
Deletion or Return of Client Personal Data
Upon proper termination of the Agreement and at the written direction of the Client, Galexia Creative Agency Ltd shall take reasonable measures to delete Client Personal Data or return Client Personal Data and copies thereof to the Client, subject to applicable laws or other Galexia Creative Agency Ltd obligations requiring the continued storage of the Client Personal Data by Galexia Creative Agency Ltd.
List of Sub-processors
- Digital Ocean: We use Digital Ocean servers to host and secure Client Websites and store data related to Client Websites.
- Netlify: We use Netlify to host and secure Client Websites and store data related to Client Websites.
- Github: We use Netlify to host and secure Client Websites and store data related to Client Websites.
- UptimeRobot: We use Uptime Robot to analyze uptime for our of our clients’ sites.
- Google Apps: We use Google/Google Apps to process email communication and manage online documents.
- MailChimp: MailChimp is a cloud-based SMTP provider that we use to send transactional and marketing emails.
- MailGun: MailGun is a cloud-based SMTP provider that we use to send emails.
- Cloudflare: We use Cloudflare in front of all of our WordPress sites. We use Cloduflares services to increase performance and security. Cloudflare will receive the IP addresses of website visitors.
This agreement is effective as of 2 September 2020.