Skip to content

Data Processing Agreement (DPA)

This "Data Processing Agreement" (hereinafter referred to as "DPA") is intended to explain the arrangements between Shanghai Guance Future Information Technology Co., Ltd. (hereinafter referred to as "we" or "Guance") and customers regarding the processing of personal data. This agreement is incorporated into the main subscription agreement (or other electronic or jointly signed written agreement) between Guance and customers who reference this agreement ("Agreement"), to ensure that we, as the data processor, can comply with applicable data protection laws and regulations.

  1. Introduction

This DPA is intended to ensure that Guance, as the data processor, can follow applicable data protection laws and regulations when processing customers' personal data, and to clarify the rights and obligations of both parties regarding data processing.

  1. Definitions

The following definitions apply to this DPA:

"Customer Data" refers to data from the customer's environment that is submitted to the service for processing. Through the customer's configuration and use of the service, the customer can control the type and quantity of Customer Data.

"Customer Personal Data" refers to Customer Data that contains personal data.

"Personal Data Breach" refers to a security breach that occurs during the transmission, storage, or other processing of Customer Personal Data by Guance, resulting in accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access to Customer Personal Data.

"Account Data" refers to customer information provided by the customer to Guance related to the creation or management of their Guance account, such as the first and last names of authorized users or the customer's billing contacts, usernames, and email addresses.

"Data Subject": Refers to the natural person to whom the personal data belongs.

"Processing": Refers to any operation performed on personal data, including but not limited to collection, recording, storage, use, transmission, and deletion.

"Data Processor": Refers to the party processing personal data under this agreement, i.e., Guance.

"Controller": Refers to the party that determines the purposes and means of processing personal data, i.e., the customer.

"Sub-processor": Refers to any processor engaged by Guance or Guance affiliates to process Customer Personal Data on behalf of Guance or its affiliates in the provision of services.

"Guance": Refers to Shanghai Guance Future Information Technology Co., Ltd., as the contracting party of this DPA.

"Data Protection Law": Refers to data protection or privacy laws and regulations directly applicable to the processing of personal data by the parties to the agreement, including European Data Protection Law.

"GDPR": Refers to the General Data Protection Regulation (2016/679) issued by the European Parliament and Council on April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC.

"SCC": Refers to the Standard Contractual Clauses for international transfers of personal data attached to the Commission Implementing Decision (EU) 2016/679 of June 4, 2021, including the UK Transfer Addendum (if applicable).

  1. Roles and Responsibilities

3.1 Both parties agree that Guance is the processor of Customer Personal Data when providing services, and Guance will only process Customer Personal Data in accordance with the Agreement, this DPA (including Appendix A), and the order ("Written Instructions").

3.2 The customer, as the data controller, must ensure that it has the legal right to provide personal data to Guance and that the instructions and requirements it provides comply with applicable laws.

  1. Data Security

4.1 Security Measures. Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, Guance has implemented and shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data. The customer agrees that the security measures implemented by Guance (listed in Appendix B) are sufficient to fulfill its obligations under this DPA. Notwithstanding the foregoing, the customer acknowledges and agrees that it is responsible for the secure use of the product.

4.2 Personal Data Breach. Guance will notify the customer without undue delay after discovering a personal data breach. The notification from Guance to the customer will include (a) the nature of the personal data breach, including the categories and approximate number of data subjects and personal data records concerned; (b) the measures Guance has taken or plans to take to address and mitigate the personal data breach; (c) any measures Guance recommends the customer take to resolve the personal data breach. Guance's obligation to notify or respond to a personal data breach under this clause does not constitute an admission of any fault or liability by Guance related to the personal data breach.

  1. Sub-processors

5.1 The customer authorizes Guance to engage sub-processors to process personal data on behalf of Guance. The customer agrees to Guance's use of sub-processors listed in the sub-processor list. Guance will update the sub-processor list at least 30 days before appointing a new sub-processor and will provide the customer with a mechanism to receive notifications of updates to the sub-processor list, which is currently available through the sub-processor list.

5.2 Guance will enter into contracts with sub-processors that include data protection obligations equivalent to those in this DPA, ensuring their compliance with applicable data protection laws.

5.3 Guance will be responsible for the acts and omissions of its sub-processors related to Guance's performance under this DPA to the same extent as if Guance were directly performing the services, and Guance will make reasonable efforts to ensure that these sub-processors provide sufficient guarantees to protect the security of personal data.

  1. Data Subject Rights

6.1 Guance will assist the customer in fulfilling the rights of data subjects, including but not limited to access, rectification, deletion, and restriction of processing. If a data subject contacts the customer through Guance to exercise their rights, Guance will make reasonable efforts to forward the request to the customer.

  1. Data Transfer and Deletion

7.1 Upon termination or expiration of the Agreement, personal data will be deleted within 30 days upon the customer's written request.

7.2 Unless otherwise required by applicable law, any Customer Personal Data archived in backups will be isolated and protected from any further processing. Notwithstanding the foregoing, to the extent that applicable law requires Guance to retain part or all of the Customer Personal Data, Guance is not obligated to delete the retained Customer Personal Data, and this DPA will continue to apply to the retained Customer Personal Data.

  1. Audit

8.1 Guance's Audit Reports. Upon the customer's request and in accordance with the confidentiality provisions of the Agreement, Guance will provide the customer with a copy or excerpt of Guance's audit reports related to the security of the service, including, for example, its ISO 27001 certification and SOC 2 reports.

  1. Data Transfer

9.1 The customer authorizes Guance and its sub-processors to transfer Customer Data across borders, including but not limited to transfers from the European Economic Area and the UK. To protect the transfer of personal data from the European Economic Area and the UK, both parties agree to enter into the Standard Contractual Clauses (SCC) and the UK Transfer Addendum. The signature on this DPA or the Agreement constitutes the signing of the Standard Contractual Clauses (SCC) and any accompanying appendices.

9.2 Specific Application of the Standard Contractual Clauses:

(1) Module 2 shall apply;

(2) In Article 7 (Docking), the optional docking clause shall apply;

(3) In Article 9 (Use of Sub-processors), Option 2 for the "General Written Authorization" clause for sub-processors shall apply, and the prior notice period shall be as described in Article 5.1 of this DPA;

(4) In Article 11 (Redress), the optional language shall not apply.

(5) In Article 13 (Supervision), the competent supervisory authority shall be the German authority.

(6) In Article 17 (Governing Law), the Standard Contractual Clauses shall be governed by German law;

(7) In Article 18(b) (Choice of Forum and Jurisdiction), both parties agree that disputes shall be submitted to the German courts for resolution;

(8) Annex I of the Standard Contractual Clauses shall be supplemented by the information set out in Appendix A of this DPA;

(9) Annex II of the Standard Contractual Clauses shall be supplemented by the information set out in Appendix B of this DPA.

9.3 If the provision of services by Guance involves the transfer of Customer Personal Data from the UK to a third country that has not been recognized as providing adequate protection for Customer Personal Data, the Standard Contractual Clauses shall be used and completed in accordance with the provisions of Article 9.2.

  1. Conflicts

In the event of any conflict or inconsistency between this DPA, the SCC, and the Agreement, the order of precedence shall be: (1) the Standard Contractual Clauses (SCC); (2) this DPA; (3) the Agreement.

  1. Agreement Changes

11.1 Guance may make changes to this DPA under the following circumstances: (a) changes are necessary to comply with applicable laws; (b) changes are commercially reasonable, do not materially reduce the security of the service, do not change the scope of Guance's processing of Customer Personal Data, and do not have a material adverse effect on the customer's rights under this DPA.

Appendix A: Details of Data Processing

  1. List of Parties

1.1 Data Exporter:

Name: [ ] Address: [ ] Contact Name: [ ], Position: [ ], Contact Information: [ ] Activities related to data transfer under this Data Processing Agreement: Processing Customer Personal Data and Account Data to provide, support, and improve the service. Signature and Date: Both parties agree that signing the Agreement constitutes the signing of this Appendix A. Role (Controller/Processor): For Customer Personal Data, it is the Processor or Controller; for Account Data, it is the Controller.

1.2 Data Importer:

Name: Shanghai Guance Future Information Technology Co., Ltd. Address: Building 7, No. 399 Keyuan Road, Pudong New Area, Shanghai Contact Name: [ ], Position: [ ], Contact Information: [ ] Activities related to data transfer under this Data Processing Agreement: Processing Customer Personal Data and Account Data to provide, support, and improve the service. Signature and Date: Both parties agree that signing the Agreement constitutes the signing of this Appendix A. Role (Controller/Processor): For Customer Personal Data, it is the Processor; for Account Data, it is the Controller.

  1. Description of Data Transfer

2.1 Categories of Data Subjects Whose Personal Data is Transferred

(1) Account Data: Data subjects may include the customer's employees.

(2) Customer Personal Data: Data subjects may include the customer's employees, customers, suppliers, and end-users.

2.2 Categories of Personal Data Transferred

(1) Account Data: Personal data sent by the customer to Guance for the use of the service.

(2) Customer Personal Data: Personal data sent by the customer to Guance for the use of the service.

2.3 Sensitive Data

No sensitive data is transferred.

2.4 Frequency of Transfer (Whether the Data is Transferred on a One-Off or Continuous Basis)

Personal data is transferred continuously.

2.5 Nature of Processing

For Account Data: General account management and other activities as outlined in Guance's public privacy policy.

For Customer Personal Data: Analysis, storage, and other services as described in the Agreement, order, DPA, and documentation.

2.6 Purpose of Data Transfer and Further Processing

To enable Guance to provide products to the customer and to exercise its rights and obligations under the Agreement.

2.7 Retention Period of Personal Data

For Account Data: Personal data is retained to manage the customer's account in accordance with Guance's privacy policy. For Customer Personal Data: Personal data is retained according to the customer's service configuration or the retention schedule outlined in the documentation.

Appendix B: Technical and Organizational Measures

Guance will implement at least the following technical and organizational security measures for Customer Personal Data processed on behalf of the customer.

  1. Encryption and Key Management

1.1 Guance maintains encryption mechanisms and cryptographic key management policies and procedures to ensure effective management within Guance's encryption systems.

1.2 Guance encrypts data at rest and during transmission over public networks in accordance with industry standard practices (if applicable).

  1. Compliance Audits

2.1 Guance will maintain SSAE 18 SOC 2 certification, or similar certification, during the term of the Agreement. This certification will be renewed annually. Upon the customer's request, Guance will provide a summary of its most recent SOC 2 report within 12 months of the Agreement's effective date.

2.2 Guance follows the guidelines of ISO 27001 and other industry standard practices.

  1. Access Control

3.1 Only authorized users have access to data, including data stored on any electronic or portable media or during transmission. Authorized users shall only have access to the data and resources necessary for their respective duties.

3.2 Guance maintains user access controls to ensure timely provisioning and de-provisioning of user accounts.

  1. Business Continuity

4.1 Guance maintains business continuity, backup, and disaster recovery plans ("BC/DR Plans") to minimize service interruptions and comply with applicable laws.

4.2 The BC/DR Plans cover threats to the service and any dependencies, and establish procedures for restoring access to and use of the service. The BC/DR Plans are tested regularly.

  1. Change Control

5.1 Guance maintains policies and procedures for changes to the service, including underlying infrastructure and system components, to ensure quality standards are met.

5.2 Guance conducts penetration testing of its network and services annually. Any vulnerabilities identified during testing will be remediated in accordance with Guance's vulnerability management policies and procedures and assessed in accordance with Guance's risk management framework.

5.3 Guance regularly conducts network vulnerability scans and will remediate vulnerabilities in accordance with Guance's vulnerability management policies and procedures and assessed in accordance with Guance's risk management framework.

5.4 Security patches are applied in accordance with Guance's patch update schedule.

  1. Data Security

6.1 Guance implements technical safeguards and other security measures to ensure the security and confidentiality of Customer Personal Data.

6.2 Guance isolates Customer Personal Data in production environments.

  1. Governance and Risk Management

7.1 Guance maintains an information security program, which is reviewed at least annually.

7.2 Guance maintains a risk management program, which conducts risk assessments at least annually.

  1. Administrative Controls

8.1 Guance uses third parties to conduct employee background checks on all Guance personnel who have access to Customer Personal Data.

8.2 Guance employees are required to complete onboarding and annual security awareness training.

Feedback

Is this page helpful? ×