Data Processing & Security Terms

Introduction
The customer agreeing to these terms (“Customer”), and Serialized AB (“Serialized”, “we”, “us”) have entered into an agreement under which Serialized has agreed to provide the Services (as described in Serialized Terms & License Agreement, the “Agreement”) and related technical support to Customer.
These terms reflect the parties’ agreement with respect to the terms governing the processing and security of Customer Data (the “Terms”) under the Agreement.
Definitions
Affiliate means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a party.
Additional Security Controls means security resources, features, functionality and/or controls that Customer may use at its option and/or as it determines, including the Admin Console and other features and/or functionality of the Services such as encryption, logging and monitoring and identity and access management.
Customer Data means content provided to Serialized by Customer via the Services under the Account.
Customer End Users means the individuals Customer permits to use the Application.
Customer Personal Data means the personal data contained within the Customer Data.
Data Incident means a breach of Serialized’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Serialized. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
GDPR means Regulation (EU) 2016⁄679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Notification Email Address means the email address designated by Customer when registering for the Services to receive certain notifications from Serialized.
Subprocessors means third parties authorized under these Terms to have logical access to and process Customer Data in order to provide parts of the Services.
The terms "personal data”, "data subject”, "processing”, "controller”, "processor” and " supervisory authority” as used in these Terms have the meanings given in the GDPR, and the terms "data importer” and "data exporter” have the meanings given in the Model Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.
Other defined terms shall have the meaning set out in the Agreement (if not otherwise stated in this document).
Scope of Data Protection Legislation
3.1 Application of European Legislation
The parties acknowledge and agree that the GDPR will apply to the processing of Customer Personal Data if, for example:
A. The processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA; and/or
B. The Customer Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behaviour in the EEA.
3.2 Application of Non-European Legislation

The parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data.
3.3 Application of Terms

Except to the extent these Terms state otherwise, these Terms will apply irrespective of whether the GDPR or Non-European Data Protection Legislation applies to the processing of Customer Personal Data.
Processing of Data
4.1 Processor and Controller Responsibilities.
If the GDPR applies to the processing of Customer Personal Data, the parties acknowledge and agree that:

Serialized is a processor of that Customer Personal Data under the GDPR;
customer is a controller or processor, as applicable, of that Customer Personal Data under the GDPR;
each party will comply with the obligations applicable to it under the GDPR with respect to the processing of that Customer Personal Data.

If the GDPR applies to the processing of Customer Personal Data and Customer is a processor, Customer warrants to Serialized that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of Serialized as another processor, have been authorized by the relevant controller.

If Non-European Data Protection Legislation applies to either party’s processing of Customer Personal Data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that Customer Personal Data.

4.2 Scope of processing

By entering into these Terms , Customer instructs Serialized to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services; (b) as further specified via Customer’s use of the Services; (c) as documented in the form of the Agreement, including these Terms; and (d) as further documented in any other written instructions given by Customer and acknowledged by Serialized as constituting instructions for purposes of these Terms ( “Customer’s Instructions”).

Data Deletion
5.1 Deletion by Customer
Serialized will enable Customer to delete Customer Data during the term in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Data during the term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to Serialized to delete the relevant Customer Data from Serialized’s systems in accordance with applicable law. Serialized will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.
5.2 Deletion on Termination

On expiry of the Term the Customer shall inform Serialized without undue delay to return all Customer Personal Data to the Customer or, upon the Customer’s written notice destroy and erase all Customer Personal Data which is associated with the Agreement (including historical data and copies) from Serialized’s systems in accordance with applicable law. Serialized will, after a recovery period of up to 30 days following such expiry, comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage. Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards.
Data Security
6.1 Serialized's Security Measures
Serialized will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described Appendix: Security Measures. As described in Appendix 2, the Security Measures include:
a) measures to encrypt personal data;
b) to help ensure the ongoing confidentiality, integrity, availability and resilience of Serialized’s systems and services;
c) to help restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
d) a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Serialized may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
If the GDPR applies to the processing of Customer Personal Data, Serialized shall take all measures required pursuant to Article 32 of the GDPR.
6.2 Serialized’s Personnel, etc.

Serialized, its employees, and other persons who perform work under the Serialized’s supervision and who gain access to personal data belonging to the Customer may only process such personal data on the Customer’s Instruction, unless such person is obligated to do so pursuant to Union law or Member State law.
Serialized shall ensure that its employees and all other persons for whom Serialized is liable and who are authorized to process Customer Personal Data covered by the Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3 Additional Security Controls

In addition to the Security Measures, Serialized will make the Additional Security Controls available to:
a) allow Customer to take steps to secure Customer Data; and
b) provide Customer with information about securing, accessing and using Customer Data.
6.4 Serialized’s Security Assistance

Customer agrees that Serialized will, taking into account the nature of the processing of Customer Personal Data and the information available to Serialized, assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of personal data and Data Incidents, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:
a) implementing and maintaining the Security Measures in accordance with Section 6.1 (Serialized’s Security Measures);
b) making the Additional Security Controls available to Customer in accordance with Section 6.3 (Additional Security Controls); and
c) complying with the terms of Section 6.5 (Data Incidents).
6.5 Data Incidents

If Serialized becomes aware of a Data Incident, We will:
a) notify Customer of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and
b) promptly take reasonable steps to minimize harm and secure Customer Data.
Notifications made pursuant to this Section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Serialized recommends Customer take to address the Data Incident.
Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid.
Serialized will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s).
Serialized’s notification of or response to a Data Incident under this Section 6.5 (Data Incidents) will not be construed as an acknowledgement by Serialized of any fault or liability with respect to the Data Incident.
6.6 Customer’s Security Responsibilities

Customer agrees that, without prejudice to Serialized’s obligations under Section 6.1, 6.3 and 6.4 (Serialized’s Security Measures, Controls and Assistance) and Section 6.5 (Data Incidents):
a) Customer is solely responsible for its use of the Services, including:
i. making appropriate use of the Services and the Additional Security Controls to ensure a level of security appropriate to the risk in respect of the Customer Data; and
ii. securing the account authentication credentials, systems and devices Customer uses to access the Services; and
iii.backing up its Customer Data;
b) Serialized has no obligation to protect Customer Data that Customer elects to store or transfer outside of Serialized’s and its Sub-processors’ systems (for example, offline or on-premises storage), or to protect Customer Data by implementing or maintaining Additional Security Controls except to the extent Customer has opted to use them.
6.7 Customer’s Security Responsibilities

a) Customer is solely responsible for evaluating for itself whether the Services, the Security Measures, the Additional Security Controls and Serialized’s commitments under this Section 6 (Data Security) will meet Customer’s needs, including with respect to any security obligations of Customer under the GDPR and/or Non-European Data Protection Legislation, as applicable.
b) Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Serialized as set out in Section 6.1 (Serialized’s Security Measures) provide a level of security appropriate to the risk in respect of the Customer Data.
6.8 Customer’s Audit Rights

Serialized shall grant the Customer access to all information which is required and necessary to enable the Customer to verify compliance with the obligations which follow from Article 28 of the GDPR and to enable and assist in audits, including inspections, which are conducted by the Customer or by an examiner authorised by the Customer. Serialized shall, at all times, be entitled to reasonable notice in the event the Customer wishes to exercise its right to conduct an audit or inspection and the Customer shall compensate Serialized for its costs incurred in connection with any such audit or inspection.
Data Subject Rights
7.1 Access; Rectification; Restricted Processing; Portability
During the Term, Serialized will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by Serialized as described in Section 5.1 (Deletion by Customer), and to export Customer Data.
7.2 Customer’s Responsibility for Requests

During the Term, if Serialized receives any request from a data subject in relation to Customer Personal Data, Serialized will advise the data subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
7.3 Data Subject Request Assistance

Customer agrees that Serialized will (taking into account the nature of the processing of Customer Personal Data) assist Customer by taking suitable technical and organizational measures, to the extent possible, to enable the Customer to perform its obligation to respond to requests regarding the exercise of the Data subject’s rights in accordance with Chapter III of the GDPR, by:
a) providing the Additional Security Controls in accordance with Section 6.3 (Additional Security Controls); and
b) complying with the commitments set out in Section 7.1 (Access; Rectification; Restricted Processing; Portability) and Section 7.2 (Customer’s Responsibility for Requests).
Impact Assessment and Prior Consultation
Customer agrees that Serialized will (taking into consideration the nature of the processing and the information which is available to Serialized) assist the Customer in fulfilling its obligations, if any, to conduct an impact assessment and/or prior consultation with a supervisory authority pursuant to Articles 35 and 36 of the GDPR.
Data Transfers
9.1 Data Storage and Processing Facilities
Customer may select a geographical region for storing Customer Data. Serialized will store Customer Data in accordance with the terms provided by any of our Data Storage Sub-contractors. If a location selection is not made by Customer, Serialized or any Data Storage Sub-processor may store and process the relevant Customer Data outside the EEA, provided such transfer meets the requirement and undertakings which follows from the GDPR.
Sub-processors
10.1 Consent to Sub-processor Engagement
Customer specifically authorizes the engagement of Serialized’s Affiliates as Sub-processors. In addition, Customer generally authorizes the engagement of any other third parties as Sub-processors (“Third Party Sub-processors”).
10.2 Information about Sub-processors

Information about Sub-processors, including their functions and locations, is available upon request.
10.3 Requirements for Sub-processor Engagement

If the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in this Section 10.3 shall apply.
Where Serialized engages another processor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in the Terms or other legal act between the Customer and Serialized shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR and this Agreement.
Where that other processor fails to fulfil its data protection obligations, Serialized shall remain fully liable to the Customer for the performance of that other processor's obligations.
10.4 Opportunity to Object to Sub-processor Changes

Serialized will inform the Customer of any intended changes concerning the addition or replacement of Sub-processor. When any new Third Party Sub-processor is engaged or replaced during the term, Serialized will, at least 30 days before the new Third Party Sub-processor processes any Customer Data, inform Customer of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform) by sending an email to the Notification Email Address.
Customer may object to any new Third Party Sub-processor by terminating the Agreement immediately upon written notice to Serialized via email, on condition that Customer provides such notice within 90 days of being informed of the engagement of the Sub-processor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third Party Sub-processor.
Effect of These Terms
Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between these Terms and the remaining terms of the Agreement, these Terms will govern.
Appendix A: Security Measures
A.1 Data Location
Serialized provide geographically distributed data centers via its subcontractors.
A.2 Encryption Technologies

The Services provided by Serialized all use HTTPS encryption (also referred to as SSL or TLS connection) to ensure that all data in transit is secure.
A.3 Data Storage and Isolation

Serialized stores data in a multi-tenant environment on servers controlled or owned by Serialized. Serialized additionally logically isolates each Customer’s data. For Multi-Tenant Projects (described in Terms) the data for each Customer Tenant is isolated.