GDPR: Data Processing Addendum
Estii as Data Processor
Estii is committed to complying with the General Data Protection Regulation (“GDPR”), and enabling our customers to comply with data protection law. We understand the GDPR has robust requirements and obligations for both data controllers and data processors and we are committed to ensuring GDPR compliance. Our DPA is available below so that our customers can be confident that their data is processed in a lawful and transparent manner.
This GDPR Data Processing Addendum (“DPA”) is supplementary to, and forms part of the Terms of Service available at https://estii.com/terms or such other location as the Terms of Service may be posted from time to time (as applicable, the “Terms”), entered into by and between the Customer (”Customer”)and Estii Co Pty Ltd (“Estii”), pursuant to which Customer has accessed Estii’s Services as defined in the applicable Terms. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.
In the course of providing the Services to Customer pursuant to the Terms, Estii may process personal data on behalf of Customer. Estii agrees to comply with the following provisions with respect to any personal data submitted by or for Customer to the Services or collected and processed by or for Customer through the Services. Any capitalised but undefined terms herein shall have the meaning set forth in the Terms.
Data Processing Terms
In this DPA, “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.
The terms “data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation.
The parties agree that Customer is the data controller and that Estii is its data processor in relation to personal data that is processed in the course of providing the Services. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Estii pursuant to the Terms.
The subject-matter of the data processing covered by this DPA is the Services ordered by Customer through Estii’s website and provided by Estii to Customer via estii.com or as additionally described in the Terms or the DPA. The processing will be carried out until the term of Customer’s ordering of the Services ceases.
In respect of personal data processed in the course of providing the Services, Estii:
- shall process the personal data only in accordance with the documented instructions from Customer (as set out in this DPA or the Terms or as otherwise notified by Customer to Estii). If Estii is required to process the personal data for any other purpose provided by applicable law to which it is subject, Estii will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest.
- shall notify Customer without undue delay if, in Estii’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation.
- shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected.
- may hire other companies to provide limited services on its behalf, provided that Estii complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Estii has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Estii remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Estii transfers personal data will have entered into written agreements with Estii requiring that the subcontractor abide by terms substantially similar to this DPA. A list of subcontractors is available to the Customer inAppendix A of this DPA.
- shall ensure that all Estii personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause.
- at the Customer’s request and cost (and insofar as is possible), shall assist the Customer by implementing appropriate and reasonable technical and organisational measures to assist with the Customer’s obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data) provided that Estii reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance.
- Shall take reasonable steps at the Customer’s request and cost to assist Customer in meeting Customer’s obligations under Article 32 to 36 of that regulation taking into account the nature of the processing under this DPA, provided that Estii reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance.
- at the end of the applicable term of the Application Services, upon Customer’s request, shall securely destroy or return such personal data to Customer.
- may transfer personal data from the EEA to the US and Australia for the purposes of this DPA.
- makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in the Terms and allow for and contribute to audits, conducted by the controller or another auditor mandated by the controller. The purposes of an audit pursuant to this Clause include to verify that Estii is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. For the avoidance of doubt no access to any part of Estii’s IT system, data hosting sites or centers, or infrastructure will be permitted. Before the commencement of any such audit, Customer and Estii shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Estii with information regarding any non-compliance discovered during the course of an audit. Customer may not audit Estii more than once annually. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Estii expends for any such audit, in addition to the rates for services performed by Estii.
- If Estii becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Estii in the course of providing the Services (an “Incident”) under the Terms it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Content. Estii shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident. Estii shall provide information requested by Customer to demonstrate compliance with the obligations set out in this DPA.
Data Subjects
Any users of the Customer’s Space
Data Processing Activities
The provision of Services by Estii to Customer.
Term
This DPA shall remain in effect as long as Estii carries out Personal Data processing operations on behalf of Customer or until the termination of the Estii Contract (and all Personal Data has been returned or deleted in accordance with terns above).
List of Sub-Processors
Estii Co Pty Ltd uses sub-processors (listed below), to assist in providing services as described in our Terms of Service.
Infrastructure sub-processors
| Sub-processor | Purpose | Country | More info |
|---|---|---|---|
| Cloudflare | Cloud hosting | USA | https://www.cloudflare.com/privacypolicy/ |
| Vercel | Content delivery network | USA | https://vercel.com/legal/privacy-policy |
Platform sub-processors
| Sub-processor | Purpose | Country | More info |
|---|---|---|---|
| Sendgrid | Email Delivery Service | USA | https://sendgrid.com/policies/security/ |
| Stripe | Credit card payments | USA | https://stripe.com/en-au/privacy |
| Google Analytics | Analytics | USA | https://policies.google.com/privacy |
Customer support sub-processors
| Sub-processor | Purpose | Country | More information |
|---|---|---|---|
| Nolt | Product feedback | CA | https://nolt.io/help/privacy |
| Thermostat | Product surveys | USA | https://userscape.com/privacy |
| Google Forms | Product surveys | USA | https://policies.google.com/privacy |