Please email us at hi@certfusion.com for a signed DPA
This Data Processing Agreement ("DPA") forms a part of the CertFusion Terms of Service or Master Service Agreement (the "Agreement"), unless Customer has entered into a superseding written agreement with STATICMAKER PTE. LTD., in which case it forms a part of such written agreement.
By signing this DPA or by using the CertFusion service, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Controller Affiliates (defined below). For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Controller Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services under the Agreement, STATICMAKER PTE. LTD. may Process certain Personal Data on behalf of Customer, and where STATICMAKER PTE. LTD. Processes such Personal Data on behalf of Customer, the Parties agree to comply with the terms and conditions in this DPA.
HOW TO EXECUTE THIS DPA:
To complete this DPA, Customer must contact STATICMAKER PTE. LTD. at hi@certfusion.com, and this DPA will become legally binding upon execution by both parties.
HOW THIS DPA APPLIES TO CUSTOMER AND ITS AFFILIATES:
If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. If the Customer entity signing this DPA has executed an Order Form with STATICMAKER PTE. LTD. pursuant to the Agreement but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Form(s). If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.
"STATICMAKER PTE. LTD." means STATICMAKER PTE. LTD., a limited company organized and existing under the laws of the Republic of Singapore, Unique Entity Number: 202608894R, with its registered office at 60 Paya Lebar Road, #06-28 Paya Lebar Square, Singapore 409051.
"STATICMAKER PTE. LTD. Group" means STATICMAKER PTE. LTD. and its Affiliates engaged in the Processing of Personal Data.
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
"Applicable Data Protection Laws" means all laws and regulations, including laws and binding regulations of the European Union, the European Economic Area ("EEA") and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
"Controller Affiliate" means any of Customer's Affiliate(s) (a)(i) that are subject to applicable Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (ii) permitted to use the Services pursuant to the Agreement between Customer and STATICMAKER PTE. LTD., but have not signed their own Order Form and are not a "Customer" as defined under the Agreement, (b) if and to the extent STATICMAKER PTE. LTD. processes Personal Data for which such Affiliate(s) qualify as the Controller.
"Data Subject" means the identified or identifiable person to whom Personal Data relates.
"Europe" means the European Union, the EEA, Switzerland and the United Kingdom.
"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
"Personal Data" means any Customer Data that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means the entity which Processes Personal Data on behalf of the Controller.
"Public Authority" means a government agency or law enforcement authority, including judicial authorities.
"Standard Contractual Clauses" means Standard Contractual Clauses for the transfer of Personal Data to third countries set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://data.europa.eu/eli/dec_impl/2021/914/oj.
"Sub-processor" means any entity engaged by STATICMAKER PTE. LTD. or a member of the STATICMAKER PTE. LTD. Group to Process Personal Data in connection with the Services.
"Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to the GDPR.
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller (or a Processor acting on behalf of a Controller), and STATICMAKER PTE. LTD. is the Processor. STATICMAKER PTE. LTD. or members of the STATICMAKER PTE. LTD. Group may engage Sub-processors pursuant to the requirements set forth in Section 4.
2.2 Customer's Processing of Personal Data. Customer shall, in its use of the Services and provision of instructions, Process Personal Data in accordance with the requirements of applicable Data Protection Laws (including, where Customer is a Processor, by ensuring that the relevant Controller does so). Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer is responsible for ensuring that it has obtained all necessary consents, authorizations, and lawful bases for the transfer of Personal Data to STATICMAKER PTE. LTD.. Customer warrants that its use of the Services and its instructions to STATICMAKER PTE. LTD. will not cause STATICMAKER PTE. LTD. to violate any applicable Data Protection Laws. Customer shall indemnify and hold harmless STATICMAKER PTE. LTD. against any claims, fines, penalties, damages, costs, and expenses arising from Customer's breach of this Section 2.2.
2.3 STATICMAKER PTE. LTD.'s Processing of Personal Data. As Customer's Processor, STATICMAKER PTE. LTD. shall only Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Customer's authorized users in their use of the Services; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the "Purpose"). STATICMAKER PTE. LTD. acts on behalf of and on the instructions of Customer in carrying out the Purpose.
2.4 Details of the Processing. The subject-matter of Processing of Personal Data by STATICMAKER PTE. LTD. is the performance of the CertFusion certificate generation, management, and distribution platform as described in the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 2 (Description of Processing/Transfer) to this DPA.
2.5 Customer Instructions. STATICMAKER PTE. LTD. shall inform Customer immediately (i) if, in its opinion, an instruction from Customer constitutes a breach of the GDPR and/or (ii) if STATICMAKER PTE. LTD. is unable to follow Customer's instructions for the Processing of Personal Data.
3.1 Data Subject Requests. STATICMAKER PTE. LTD. shall, to the extent legally permitted, promptly notify Customer of any complaint, dispute or request it has received from a Data Subject under applicable Data Protection Laws in relation to Personal Data, such as a Data Subject's right of access, right to rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, objection to the Processing, or its right not to be subject to automated individual decision making (each, a "Data Subject Request").
3.2 Processor's Role. STATICMAKER PTE. LTD. shall not respond to a Data Subject Request itself, except that Customer authorizes STATICMAKER PTE. LTD. to redirect the Data Subject Request as necessary to allow Customer to respond directly. Taking into account the nature of the Processing, STATICMAKER PTE. LTD. shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to a Data Subject Request as required by applicable Data Protection Laws.
3.3 Additional Assistance. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, STATICMAKER PTE. LTD. shall, upon Customer's request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent STATICMAKER PTE. LTD. is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from STATICMAKER PTE. LTD.'s provision of such assistance, including any fees associated with provision of additional functionality.
4.1 Appointment of Sub-processors. Customer acknowledges and agrees that (a) STATICMAKER PTE. LTD.'s Affiliates may be retained as Sub-processors through written agreement with STATICMAKER PTE. LTD. and (b) STATICMAKER PTE. LTD. and STATICMAKER PTE. LTD.'s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. As a condition to permitting a third-party Sub-processor to Process Personal Data, STATICMAKER PTE. LTD. or a STATICMAKER PTE. LTD. Affiliate will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor.
4.2 List of Current Sub-processors and Notification of New Sub-processors. A current list of Sub-processors engaged in Processing Personal Data for the performance of the Services, including a description of their processing activities and countries of location, is accessible at all times via STATICMAKER PTE. LTD.'s website at https://certfusion.com/legal/sub-processors or the Privacy Policy. STATICMAKER PTE. LTD. shall send notifications to Customer of new Sub-processors by email or by updating its website at least fourteen (14) days prior to authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services.
4.3 Objection Right for New Sub-processors. Customer may reasonably object to STATICMAKER PTE. LTD.'s use of a new Sub-processor (e.g., if making Personal Data available to the Sub-processor may violate applicable Data Protection Laws or weaken the protections for such Personal Data) by notifying STATICMAKER PTE. LTD. promptly in writing within ten (10) business days after receipt of STATICMAKER PTE. LTD.'s notice in accordance with Section 4.2. Such notice shall explain the reasonable grounds for the objection. In the event Customer objects to a new Sub-processor, STATICMAKER PTE. LTD. will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If STATICMAKER PTE. LTD. is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, either party may terminate without penalty the applicable Service subscription with respect only to those Services which cannot be provided by STATICMAKER PTE. LTD. without the use of the objected-to new Sub-processor by providing written notice. STATICMAKER PTE. LTD. will refund Customer any prepaid fees covering the remainder of the term following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
4.4 Liability. STATICMAKER PTE. LTD. shall be liable for the acts and omissions of its Sub-processors to the same extent STATICMAKER PTE. LTD. would be liable if performing the Services of each Sub-processor directly under the terms of this DPA.
5.1 Controls for the Protection of Personal Data. STATICMAKER PTE. LTD. shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data. STATICMAKER PTE. LTD. regularly monitors compliance with these measures. STATICMAKER PTE. LTD. will not materially decrease the overall security of the Services during a subscription term. The technical and organizational measures are further described in Schedule 3 (Security Measures) to this DPA.
5.2 Customer's Security Responsibilities. Customer is solely responsible for making an independent determination as to whether the technical and organizational measures implemented by STATICMAKER PTE. LTD. meet Customer's requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by STATICMAKER PTE. LTD. provide a level of security appropriate to the risk with respect to its Personal Data.
5.3 Audit. STATICMAKER PTE. LTD. shall maintain an audit program to help ensure compliance with the obligations set out in this DPA and shall make available to Customer information to demonstrate compliance with the obligations set out in this DPA. STATICMAKER PTE. LTD. may satisfy audit requests by providing relevant third-party audit reports, certifications (e.g., SOC 2, ISO 27001), or completed security questionnaires. If Customer reasonably requires an on-site audit, such audit shall be subject to the following conditions:
(a) Customer shall provide at least thirty (30) days' written notice;
(b) Audits shall be conducted during normal business hours and shall not unreasonably disrupt STATICMAKER PTE. LTD.'s operations;
(c) Customer (or its auditor) shall enter into a confidentiality agreement acceptable to STATICMAKER PTE. LTD.;
(d) Audits shall be limited to once per twelve (12) month period, unless a Personal Data Breach has occurred or a Supervisory Authority requires an additional audit;
(e) Customer shall bear all costs of any audit.
5.4 Data Protection Impact Assessment. Upon Customer's request, STATICMAKER PTE. LTD. shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer's obligation under Data Protection Laws to carry out a data protection impact assessment related to Customer's use of the Services, to the extent Customer does not otherwise have access to the relevant information and to the extent such information is available to STATICMAKER PTE. LTD.. Customer shall be responsible for any costs arising from STATICMAKER PTE. LTD.'s provision of such assistance.
6.1 STATICMAKER PTE. LTD. maintains security incident management policies and procedures. STATICMAKER PTE. LTD. shall notify Customer without undue delay of any breach relating to Personal Data (within the meaning of applicable Data Protection Laws) of which STATICMAKER PTE. LTD. becomes aware and which may require a notification to be made to a competent Supervisory Authority or Data Subject under applicable Data Protection Law, or which STATICMAKER PTE. LTD. is required to notify to Customer under applicable Data Protection Law (a "Personal Data Incident").
6.2 Such notification shall include, to the extent available at the time of notification:
(a) A description of the nature of the Personal Data Incident, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
(b) The name and contact details of STATICMAKER PTE. LTD.'s data protection contact;
(c) A description of the likely consequences of the Personal Data Incident;
(d) A description of the measures taken or proposed to address the Personal Data Incident.
6.3 STATICMAKER PTE. LTD. shall provide commercially reasonable cooperation and assistance in identifying the cause of such Personal Data Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within STATICMAKER PTE. LTD.'s control.
6.4 Except as required by applicable Data Protection Law, the obligations herein shall not apply to incidents that are caused by Customer, Customer's authorized users, and/or any third-party products or integrations enabled by Customer. For the avoidance of doubt, STATICMAKER PTE. LTD. shall have no liability for any Personal Data Incident to the extent it arises from: (a) Customer's failure to comply with its obligations under this DPA or applicable Data Protection Laws; (b) Customer's or its authorized users' actions or omissions, including misconfiguration of the Services; (c) any unauthorized access resulting from Customer's failure to maintain the security of its account credentials; or (d) any third-party integration connected or configured by Customer.
7.1 STATICMAKER PTE. LTD. Requirements. In its role as a Processor, STATICMAKER PTE. LTD. shall maintain appropriate measures to protect Personal Data in accordance with the requirements of Data Protection Laws, including by implementing appropriate technical and organizational safeguards. If STATICMAKER PTE. LTD. receives a legally binding request to access Personal Data from a Public Authority, STATICMAKER PTE. LTD. shall, unless otherwise legally prohibited, promptly notify Customer including a summary of the nature of the request. To the extent STATICMAKER PTE. LTD. is prohibited by law from providing such notification, STATICMAKER PTE. LTD. shall, as appropriate, use commercially reasonable efforts to obtain a waiver of the prohibition to enable STATICMAKER PTE. LTD. to communicate as much information as possible, as soon as possible.
7.2 Further, STATICMAKER PTE. LTD. shall challenge the request if, after careful assessment, it considers that the request is unlawful. When challenging a request, STATICMAKER PTE. LTD. shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. STATICMAKER PTE. LTD. agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
7.3 Sub-processor Requirements. STATICMAKER PTE. LTD. shall ensure that Sub-processors involved in the Processing of Personal Data are subject to relevant commitments regarding Government Access Requests in the Standard Contractual Clauses.
7.4 For the avoidance of doubt, this DPA shall not require STATICMAKER PTE. LTD. to pursue actions or inactions that could result in civil or criminal penalty for STATICMAKER PTE. LTD. such as contempt of court.
8.1 Upon termination of the Services for which STATICMAKER PTE. LTD. is Processing Personal Data, STATICMAKER PTE. LTD. shall, upon Customer's written request, return all Personal Data in STATICMAKER PTE. LTD.'s possession to Customer or securely destroy such Personal Data and demonstrate to the satisfaction of Customer that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Personal Data.
8.2 STATICMAKER PTE. LTD. shall complete the return or deletion within thirty (30) days of the Customer's written request, unless applicable law requires continued storage. If Customer fails to request return or deletion within thirty (30) days of termination, STATICMAKER PTE. LTD. may delete all Personal Data without further notice.
8.3 Subject to the Service plan purchased by Customer, access to data export functionality may require use of the CertFusion API or may incur additional charges and/or require purchase of a Service upgrade. STATICMAKER PTE. LTD. shall not be required to provide data export in any format other than those supported by the Service at the time of the request.
8.4 Where retention is required by applicable law or regulation (including tax and accounting requirements), STATICMAKER PTE. LTD. may retain Personal Data for the minimum period required, after which it shall be securely deleted.
9.1 Contractual Relationship. The parties acknowledge and agree that, by executing the DPA, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Controller Affiliates, thereby establishing a separate DPA between STATICMAKER PTE. LTD. and each such Controller Affiliate subject to the provisions of the Agreement and this Section 9 and Section 10. Each Controller Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, a Controller Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services by Controller Affiliates must comply with the terms and conditions of the Agreement and any violation by a Controller Affiliate shall be deemed a violation by Customer.
9.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with STATICMAKER PTE. LTD. under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Controller Affiliates.
9.3 Rights of Controller Affiliates. If a Controller Affiliate becomes a party to the DPA with STATICMAKER PTE. LTD., it shall, to the extent required under applicable Data Protection Laws, also be entitled to exercise the rights and seek remedies under this DPA, subject to the following: except where applicable Data Protection Laws require the Controller Affiliate to exercise a right or seek any remedy under this DPA against STATICMAKER PTE. LTD. directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Controller Affiliate, and (ii) the Customer shall exercise any such rights under this DPA not separately for each Controller Affiliate individually but in a combined manner for all of its Controller Affiliates together.
10.1 Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Controller Affiliates and STATICMAKER PTE. LTD., whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
10.2 For the avoidance of doubt, STATICMAKER PTE. LTD.'s and its Affiliates' total liability for all claims from the Customer and all of its Controller Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Controller Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Controller Affiliate that is a contractual party to any such DPA.
10.3 STATICMAKER PTE. LTD. shall not be liable for any claims, losses, or damages arising from: (a) Customer's failure to comply with its obligations under applicable Data Protection Laws; (b) Customer's instructions that infringe applicable Data Protection Laws, provided STATICMAKER PTE. LTD. has informed Customer of such infringement; (c) Customer's submission of special categories of Personal Data without proper lawful basis; (d) any processing of Personal Data by Customer that is outside the scope of the Agreement; or (e) Customer's failure to fulfil its obligations as a Controller, including obtaining necessary consents and providing required notices to Data Subjects.
10.4 In no event shall STATICMAKER PTE. LTD. be liable under this DPA for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, revenue, data (other than Personal Data), or business opportunity, regardless of the theory of liability, even if STATICMAKER PTE. LTD. has been advised of the possibility of such damages.
10.5 Notwithstanding anything to the contrary in this DPA or the Agreement, STATICMAKER PTE. LTD.'s aggregate liability under this DPA shall not exceed the total fees paid by Customer to STATICMAKER PTE. LTD. under the Agreement during the twelve (12) months immediately preceding the event giving rise to the claim.
10.6 Customer shall indemnify, defend, and hold harmless STATICMAKER PTE. LTD. and its Affiliates, officers, directors, employees, and agents from and against any third-party claims, fines, penalties, damages, costs, and expenses (including reasonable legal fees) arising from or related to: (a) Customer's breach of this DPA; (b) Customer's violation of applicable Data Protection Laws; (c) Customer's failure to obtain necessary consents or provide required notices; or (d) any claim by a Data Subject or Supervisory Authority resulting from Customer's acts or omissions as a Controller.
10.7 Disclaimer of Warranties. Except as expressly set forth in this DPA, STATICMAKER PTE. LTD. makes no warranties of any kind, whether express, implied, statutory, or otherwise, regarding the Services or any security measures, including any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. STATICMAKER PTE. LTD. does not warrant that the security measures will be uninterrupted, error-free, or that they will prevent all unauthorized access to or use of Personal Data.
11.1 Definitions. For the purposes of this Section 11 and Schedule 1, the following terms shall be defined as follows:
"EU C-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).
"EU P-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Three (Processor-to-Processor).
11.2 GDPR. STATICMAKER PTE. LTD. will Process Personal Data in accordance with the GDPR requirements directly applicable to STATICMAKER PTE. LTD.'s provisioning of the Services.
11.3 Transfer Mechanisms. If, in the performance of the Services, Personal Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that apply in Europe is transferred out of Europe to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Laws of Europe, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the parties to the extent such transfers are subject to the Data Protection Laws of Europe:
(a) The EU C-to-P Transfer Clauses. Where Customer and/or its Controller Affiliate is a Controller and a data exporter of Personal Data and STATICMAKER PTE. LTD. is a Processor and data importer in respect of that Personal Data, then the parties shall comply with the EU C-to-P Transfer Clauses, subject to the additional terms in Section 1 of Schedule 1; and/or
(b) The EU P-to-P Transfer Clauses. Where Customer and/or its Controller Affiliate is a Processor acting on behalf of a Controller and a data exporter of Personal Data and STATICMAKER PTE. LTD. is a Processor and data importer in respect of that Personal Data, the parties shall comply with the terms of the EU P-to-P Transfer Clauses, subject to the additional terms in Sections 1 and 2 of Schedule 1.
11.4 UK Transfers. In case of any transfers of Personal Data from the United Kingdom governed by UK Data Protection Laws and Regulations, the Mandatory Clauses of the Approved Addendum being the template Addendum B1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses ("Approved Addendum") shall apply. For the purposes of Table 4 of Part One of the Approved Addendum, neither party may end the Approved Addendum when it changes.
12.1 Governing Law. This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of the Republic of Singapore.
12.2 Dispute Resolution. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of the Republic of Singapore.
12.3 Modifications. STATICMAKER PTE. LTD. may update this DPA from time to time to reflect changes in applicable Data Protection Laws, regulatory guidance, or the Services. STATICMAKER PTE. LTD. will notify Customer of material changes by email or by posting the updated DPA on its website at least thirty (30) days before the changes take effect. Customer's continued use of the Services after such notice period constitutes acceptance of the updated DPA. If Customer does not agree with the changes, Customer may terminate the Agreement in accordance with its terms.
12.4 Conflicts. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. In the event of any conflict between this DPA and the Agreement on matters relating to data protection, this DPA shall prevail.
12.5 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
12.6 Entire Agreement. This DPA, together with the Agreement, its schedules, and the Standard Contractual Clauses (where applicable), constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes all prior agreements on this subject.
For the purposes of the EU C-to-P Transfer Clauses and the EU P-to-P Transfer Clauses, Customer is the data exporter and STATICMAKER PTE. LTD. is the data importer. Where this Section 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses, it applies to both of them.
1.1 Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purpose of the Appendix to the Standard Contractual Clauses is set out in Schedule 2.
1.2 Docking Clause. The option under Clause 7 shall not apply.
1.3 Instructions. This DPA and the Agreement are Customer's complete and final instructions at the time of execution of the DPA for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of Clause 8.1(a), the instructions by Customer to process Personal Data are set out in Section 2.3 of the DPA and include onward transfers to a third party located outside Europe for the purpose of the performance of the Services.
1.4 Security of Processing. For the purposes of Clause 8.6(a), Customer is solely responsible for making an independent determination as to whether the technical and organizational measures implemented by STATICMAKER PTE. LTD. meet Customer's requirements. For the purposes of Clause 8.6(c), Personal Data Breaches will be handled in accordance with Section 6 of the DPA.
1.5 General Authorisation for Use of Sub-processors. Option 2 under Clause 9 shall apply. For the purposes of Clause 9(a), STATICMAKER PTE. LTD. has Customer's general authorisation to engage Sub-processors in accordance with Section 4 of the DPA. STATICMAKER PTE. LTD. shall make available to Customer the current list of Sub-processors in accordance with Section 4.2 of the DPA.
1.6 Notification of New Sub-processors and Objection Right. Pursuant to Clause 9(a), Customer acknowledges and expressly agrees that STATICMAKER PTE. LTD. may engage new Sub-processors as described in Sections 4.2 and 4.3 of the DPA.
1.7 Audits. The parties agree that the audits described in Clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 5.3 of the DPA.
1.8 Complaints and Redress. For the purposes of Clause 11, and subject to Section 3 of the DPA, STATICMAKER PTE. LTD. shall inform Data Subjects on its website of a contact point authorised to handle complaints. STATICMAKER PTE. LTD. shall inform Customer if it receives a complaint by, or a dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer. STATICMAKER PTE. LTD. shall not otherwise have any obligation to handle the request (unless otherwise agreed with Customer). The option under Clause 11 shall not apply.
1.9 Liability. STATICMAKER PTE. LTD.'s liability under Clause 12(b) shall be limited to any damage caused by its Processing where STATICMAKER PTE. LTD. has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 GDPR.
1.10 Certification of Deletion. The parties agree that the certification of deletion of Personal Data described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by STATICMAKER PTE. LTD. to Customer only upon Customer's written request.
1.11 Supervision. Clause 13 shall apply as follows:
(a) Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
(b) Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1), the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.
(c) Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2), the Irish Data Protection Commission shall act as competent supervisory authority.
(d) Where Customer is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws, the Information Commissioner's Office ("ICO") shall act as competent supervisory authority.
(e) Where Customer is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws.
1.12 Notification of Government Access Requests. For the purposes of Clause 15(1)(a), STATICMAKER PTE. LTD. shall notify Customer only (and not the Data Subject(s)) in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.
1.13 Governing Law. The governing law for the purposes of Clause 17 shall be the law of the Republic of Singapore.
1.14 Choice of Forum and Jurisdiction. For the purpose of Clause 18, any dispute arising from the Clauses shall be resolved by the courts of the Republic of Singapore.
1.15 Appendix. The Appendix shall be completed as follows: The contents of Schedule 2 shall form the relevant Annexes to the Standard Contractual Clauses. The contents of Schedule 3 shall form Annex II to the Standard Contractual Clauses.
For the purposes of the EU P-to-P Transfer Clauses (only), the parties agree the following:
2.1 Instructions and Notifications. For the purposes of Clause 8.1(a), Customer hereby informs STATICMAKER PTE. LTD. that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Customer warrants that its Processing instructions as set out in the Agreement and the DPA, including its authorizations to STATICMAKER PTE. LTD. for the appointment of Sub-processors in accordance with the DPA, have been authorized by the relevant Controller. Customer shall be solely responsible for forwarding any notifications received by STATICMAKER PTE. LTD. to the relevant Controller where appropriate.
2.2 Security of Processing. For the purposes of Clauses 8.6(c) and (d), STATICMAKER PTE. LTD. shall provide notification of a Personal Data Breach concerning Personal Data Processed by STATICMAKER PTE. LTD. to Customer.
2.3 Documentation and Compliance. For the purposes of Clause 8.9, all enquiries from the relevant Controller shall be provided to STATICMAKER PTE. LTD. by Customer. If STATICMAKER PTE. LTD. receives an enquiry directly from a Controller, it shall forward the enquiry to Customer, and Customer shall be solely responsible for responding.
2.4 Data Subject Rights. For the purposes of Clause 10, STATICMAKER PTE. LTD. shall notify Customer about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed), but shall not notify the relevant Controller. Customer shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.
Data Exporter: Customer, as identified in the Agreement.
Data Importer: STATICMAKER PTE. LTD., as identified in this DPA.
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer and which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:
The Personal Data transferred may include, but is not limited to:
The Processor does not intentionally process special categories of Personal Data (as defined in Article 9 of GDPR). Customer must not submit special category data unless it has obtained all necessary consents and lawful bases from Data Subjects and has notified STATICMAKER PTE. LTD. in advance in writing. Any submission of special category data by Customer is at Customer's sole risk and responsibility. STATICMAKER PTE. LTD. disclaims all liability arising from the processing of special categories of data submitted by Customer, and Customer shall indemnify STATICMAKER PTE. LTD. against any claims, fines, or damages arising therefrom.
Continuous basis, depending on the use of the Services by Customer.
The nature of the processing is the performance of the CertFusion certificate generation, management, issuance, and distribution platform pursuant to the Agreement, including account management, certificate design and generation, recipient management, certificate delivery, certificate verification, data imports from third-party integrations, payment processing, and transactional communications.
STATICMAKER PTE. LTD. will Process Personal Data as necessary to perform the Services pursuant to the Agreement and as further instructed by Customer in its use of the Services.
Subject to Section 8 of the DPA, STATICMAKER PTE. LTD. will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
The Sub-processor will Process Personal Data as necessary to perform the Services pursuant to the Agreement. Subject to Section 8 of the DPA, the Sub-processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing. Identities of the Sub-processors used for the provision of the Services and their country of location are listed on the Sub-processor page accessible via STATICMAKER PTE. LTD.'s website or Privacy Policy.
The competent supervisory authority shall be identified in accordance with Clause 13 of the Standard Contractual Clauses and Section 1.11 of Schedule 1 to this DPA.
STATICMAKER PTE. LTD. will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services. STATICMAKER PTE. LTD. will not materially decrease the overall security of the Services during a subscription term.
The following categories of measures are maintained:
Access Control: Role-based access control with administrative restrictions. Multi-tenant data isolation ensuring all data queries are scoped to the authenticated user. API authentication with granular access scopes. Session management with configurable timeouts.
Cryptographic Controls: Industry-standard password hashing. Encryption at rest for sensitive credentials and tokens. SSL/TLS support for data in transit. HTTPS enforcement capabilities.
Application Security: Server-side input validation on all data entry points. Cross-site request forgery protection. Webhook signature verification for third-party integrations. File upload restrictions including type validation and size limits. API request rate limiting.
Data Minimization: Payment card details are not stored; payment processing is delegated to Stripe with only minimal reference data retained locally. OAuth tokens are managed with expiration tracking and automatic refresh. Sensitive fields are excluded from API responses.
Operational Security: Database integrity controls and transactional processing. Asynchronous job processing with monitoring. Application-level logging for operational monitoring and incident investigation. Configurable log retention and monitoring.
Data Subject Requests shall be handled in accordance with Section 3 of the DPA.