Skip to content

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") outlines the arrangements between Shanghai Guance Future Information Technology Co., Ltd. (hereinafter referred to as "we" or "Guance") and the customer regarding the processing of personal data. This agreement is incorporated into the Master Subscription Agreement (or other electronic or jointly signed written agreement) between Guance and the customer referencing this DPA ("Agreement") to ensure that we, as a data processor, comply with applicable data protection laws and regulations.

  1. Introduction

This DPA ensures that Guance, as a data processor, complies with applicable data protection laws and regulations when processing customer personal data and clarifies the rights and obligations of both parties concerning data processing.

  1. Definitions

The following definitions apply to this DPA:

"Customer Data" refers to data from the customer's environment submitted for processing by the service. Through the configuration and use of the service, the customer can control the type and quantity of Customer Data.

"Customer Personal Data" refers to Customer Data containing personal data.

"Personal Data Breach" means a security breach involving the transmission, storage, or other processing of Customer Personal Data by Guance, resulting in accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access to Customer Personal Data.

"Account Data" refers to customer information provided by the customer to Guance for creating or managing their Guance account, such as the first and last names, usernames, and email addresses of authorized users or billing contacts.

"Data Subject" refers to the natural person to whom the personal data relates.

"Processing" refers to any operation performed on personal data, including but not limited to collection, recording, storage, use, transmission, and deletion.

"Data Processor" refers to the party processing personal data under this agreement, which is Guance.

"Controller" refers to the party determining the purposes and means of processing personal data, which is the customer.

"Sub-processor" refers to any processor engaged by Guance or its affiliates to process Customer Personal Data on behalf of Guance or its affiliates in providing the services.

"Guance" refers to Shanghai Guance Future Information Technology Co., Ltd. as a contracting party to this DPA.

"Data Protection Law" refers to data protection or privacy laws and regulations directly applicable to the processing of personal data by the parties to the agreement, including European data protection law.

"GDPR" refers to the General Data Protection Regulation (2016/679) adopted by the European Parliament and Council on April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC.

"SCC" refers to the standard contractual clauses for international transfers of personal data annexed to the decision of the European Commission implementing Regulation (EU) 2016/679 of June 4, 2021, on standard contractual clauses for the transfer of personal data to third countries, including the UK Transfer Addendum if applicable.

  1. Roles and Responsibilities

3.1 Both parties agree that Guance acts as a data processor in processing Customer Personal Data when providing the services. Guance will process Customer Personal Data only according to the Agreement, this DPA (including Appendix A), and the order ("written instructions").

3.2 The customer, as the controller, must ensure it has the legal right to provide personal data to Guance and that its instructions and requirements comply with applicable laws.

  1. Data Security

4.1 Security Measures. Considering the existing technology, implementation costs, nature, scope, context, and purpose of processing, as well as the varying risks to the rights and freedoms of natural persons, Guance has implemented and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data. The customer agrees that the security measures implemented by Guance (listed in Appendix B) are sufficient to meet its obligations under this DPA. Despite the above, the customer acknowledges and agrees that it is responsible for securely using the product.

4.2 Personal Data Breach. Upon discovering a personal data breach, Guance will immediately notify the customer without undue delay. The notification content includes (a) the nature of the personal data breach, including categories and approximate number of affected data subjects and personal data records; (b) measures taken or planned by Guance to address and mitigate the personal data breach; (c) any recommended actions for the customer to resolve the personal data breach. Guance's obligation to notify or respond to a personal data breach does not constitute an admission of any negligence or liability related to the breach.

  1. Sub-processors

5.1 The customer authorizes Guance to engage sub-processors to process personal data on behalf of Guance. The customer agrees to the use of sub-processors listed in the sub-processor list. Guance will update the sub-processor list at least 30 days before appointing new sub-processors and provide a mechanism for customers to receive updates to the sub-processor list, currently available through the sub-processor list.

5.2 Guance will enter into contracts with sub-processors that include data protection obligations equivalent to those in this DPA, ensuring compliance with applicable data protection laws.

5.3 Guance will be liable for the acts and omissions of its sub-processors under this DPA to the same extent as if Guance were performing the services directly. Guance will ensure these sub-processors provide adequate safeguards to protect the security of personal data.

  1. Data Subject Rights

6.1 Guance will assist the customer in fulfilling data subject rights, including but not limited to access, correction, deletion, and restriction of processing. If a data subject contacts Guance to exercise their rights, Guance will make reasonable efforts to forward the request to the customer.

  1. Data Transfer and Deletion

7.1 After the termination or expiration of the agreement, upon written request from the customer, personal data will be deleted within 30 days.

7.2 Unless required by applicable law, any Customer Personal Data archived in backups will be isolated and protected from further processing. Despite the above, Guance has no obligation to delete retained Customer Personal Data if applicable law requires retention, and this DPA will continue to apply to retained Customer Personal Data.

  1. Audits

8.1 Guance Audit Reports. Upon the customer's request and subject to the confidentiality provisions of the agreement, Guance will provide copies or extracts of audit reports related to service security, including ISO 27001 certification and SOC 2 reports.

  1. Data Transfers

9.1 The customer authorizes Guance and its sub-processors to transfer Customer Data internationally, including but not limited to transfers from the European Economic Area and the UK. To protect personal data transfers from the European Economic Area and the UK, both parties agree to sign Standard Contractual Clauses (SCCs) and the UK Transfer Addendum. Signing this DPA or the agreement constitutes signing the SCCs and any accompanying appendices.

9.2 Specific Application of SCCs:

(1) Module 2 will apply;

(2) In Article 7 (Docking), optional docking clauses will apply;

(3) In Article 9 (Use of Sub-processors), Option 2 for general written authorization of sub-processors should apply, with prior notice timeframes as described in Section 5.1 of this DPA;

(4) In Article 11 (Remedies), optional language does not apply;

(5) In Article 13 (Supervision), the competent supervisory authority shall be the German authority;

(6) In Article 17 (Governing Law), the SCCs shall be governed by German law;

(7) In Article 18(b) (Choice of forum and jurisdiction), both parties agree that disputes shall be resolved by German courts;

(8) Annex I of the SCCs shall supplement the information set out in Appendix A of this DPA;

(9) Annex II of the SCCs shall supplement the information set out in Appendix B of this DPA.

9.3 If Guance provides services involving the transfer of Customer Personal Data from the UK to a third country not deemed to provide adequate protection for Customer Personal Data, the Standard Contractual Clauses will be used and completed as specified in Section 9.2.

  1. Conflicts

In the event of conflicts or inconsistencies between this DPA, SCCs, and the agreement, the precedence order is: (1) Standard Contractual Clauses (SCCs); (2) this DPA; (3) the agreement.

  1. Agreement Amendments

11.1 Guance may amend this DPA under the following circumstances: (a) amendments are necessary to comply with applicable law; (b) amendments are commercially reasonable, do not substantially reduce service security, do not change the scope of Guance's processing of Customer Personal Data, and do not significantly adversely affect the customer's rights under this DPA.

Appendix A: Data Processing Details

  1. Party List

1.1 Data Exporter:

Name: [ ] Address: [ ] Contact Person Name: [ ], Position: [ ], Contact Information: [ ] Activities related to data transfer under this DPA: Processing Customer Personal Data and Account Data to provide, support, and improve services. Signature and Date: Both parties agree that signing the agreement represents the signing of this Appendix A. Role (Controller/Processor): For Customer Personal Data, either processor or controller; for Account Data, controller.

1.2 Data Importer:

Name: Shanghai Guance Future Information Technology Co., Ltd. Address: Building 7, No. 399 Keyuan Road, Pudong New Area, Shanghai Contact Person Name: [ ], Position: [ ], Contact Information: [ ] Activities related to data transfer under this DPA: Processing Customer Personal Data and Account Data to provide, support, and improve services. Signature and Date: Both parties agree that signing the agreement represents the signing of this Appendix A. Role (Controller/Processor): For Customer Personal Data, processor; for Account Data, controller.

  1. Data Transfer Description

2.1 Categories of Data Subjects Whose Personal Data Is Transferred

(1) Account Data: Data subjects may include employees of the customer.

(2) Customer Personal Data: Data subjects may include employees, customers, suppliers, and end-users of the customer.

2.2 Categories of Personal Data Transferred

(1) Account Data: Personal data sent by the customer to Guance for using the services.

(2) Customer Personal Data: Personal data sent by the customer to Guance for using the services.

2.3 Sensitive Data

No sensitive data is transferred.

2.4 Frequency of Transfer (whether data is transferred once or continuously)

Personal data is continuously transferred.

2.5 Nature of Processing

For Account Data: General account management and other activities outlined in Guance's public privacy policy.

For Customer Personal Data: Analysis, storage, and other services as described in the agreement, orders, DPA, and documentation.

2.6 Purpose of Data Transfer and Further Processing

To enable Guance to provide products to the customer and fulfill its rights and obligations under the agreement.

2.7 Retention Period for Personal Data

For Account Data: Personal data is retained to manage the customer's account according to Guance's privacy policy. For Customer Personal Data: Personal data is retained according to the retention schedule outlined in the customer's service configuration or documentation.

Appendix B: Technical and Organizational Measures

Guance will implement at least the following technical and organizational security measures for Customer Personal Data processed on behalf of the customer.

  1. Encryption and Key Management

1.1 Guance maintains policies and procedures for managing encryption mechanisms and cryptographic keys to ensure effective management within Guance's encryption systems.

1.2 Guance encrypts data at rest and in transit over public networks according to industry-standard practices (if applicable).

  1. Compliance Audits

2.1 Guance will maintain SSAE 18 SOC 2 certification or similar certification during the term of the agreement. This certification will be updated annually. Upon request, Guance will provide a summary of its most recent SOC 2 report within each 12-month period of the agreement.

2.2 Guance adheres to guidelines from ISO 27001 and other industry-standard practices.

  1. Access Control

3.1 Only authorized users can access data, whether stored on any electronic or portable media or transmitted. Authorized users should have access only to data and resources necessary for their duties.

3.2 Guance maintains user access controls to promptly configure and deconfigure user accounts.

  1. Business Continuity

4.1 Guance maintains business continuity, backup, and disaster recovery plans ("BC/DR Plans") to minimize service disruptions and comply with applicable laws.

4.2 BC/DR Plans cover threats to the service and any dependencies and establish procedures for restoring access and use of the service. BC/DR Plans are regularly tested.

  1. Change Control

5.1 Guance maintains policies and procedures for changing the service, including underlying infrastructure and system components, to ensure quality standards are met.

5.2 Guance conducts annual penetration testing of its network and services. Any vulnerabilities discovered during testing will be remediated according to Guance's vulnerability management policies and procedures and evaluated according to Guance's risk management framework.

5.3 Guance regularly performs network vulnerability scans and will remediate vulnerabilities according to Guance's vulnerability management policies and procedures and evaluate them according to Guance's risk management framework.

5.4 Security patches are applied according to Guance's patch update schedule.

  1. Data Security

6.1 Guance implements technical safeguards and other security measures to ensure the security and confidentiality of Customer Personal Data.

6.2 Guance isolates Customer Personal Data in production environments.

  1. Governance and Risk Management

7.1 Guance maintains an information security program reviewed at least annually.

7.2 Guance maintains a risk management plan with annual risk assessments.

  1. Administrative Controls

8.1 Guance uses third-party background checks for all Guance personnel with access to Customer Personal Data.

8.2 Guance employees complete onboarding and annual security awareness training.

Feedback

Is this page helpful? ×