Skip to content

Search the site

    Unanet Data Processing Addendum

    why-unanet-logo-mask

    This Data Protection Addendum (“DPA”) is entered into as of the Effective Date (defined below) between Unanet, Inc. (“Unanet” or “Processor”) and Customer (“Customer”). Unanet and Customer may each be referred to as a “Party” and or collectively referred to as the “Parties”.  To the extent applicable pursuant to the Unanet Cloud Terms & Conditions, this DPA shall be effective on the date Customer signs an Order Form with Unanet.  Unless otherwise indicated, all capitalized terms used but not defined in this DPA have the meanings given to them in Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), or the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”). The parties agree that for the purposes of this DPA, Customer is a Data Controller or Business and Unanet is a Data Processor or Service Provider.

     

    1. Definitions.  In this DPA:
      • Applicable Law” means, as applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”). For the avoidance of doubt, if Unanet processes Personal Data that is not governed by or its processing activities are not governed by Applicable Law, such law is not applicable for purposes of this DPA. Each party is responsible only for the Applicable Law applicable to it.
      • Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, Personal Data.
      • Personal Data” means includes “personal data,” “personal information,” and “personally identifiable information,” and such terms shall have the same meaning as defined by Applicable Law.
      • Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      • 2010 Standard Contractual Clauses” means the annex found in EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (available as of September 13, 2019 at data.europa.eu/eli/dec/2010/87/oj), completed as described in the “Data Transfers” section below.
      • 2021 Standard Contractual Clauses,” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.
      • Subprocessor” means any Processor affiliate or subcontractor engaged by Unanet for the Processing of Personal Data.
    2. Instructions from the Customer.  Unanet will retain, use, disclose, and otherwise Process the Personal Data only as described in the Unanet Cloud Terms & Conditions, unless obligated to do otherwise by applicable law.  In such case, Unanet will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Customer will not instruct Unanet to Process Personal Data in violation of any applicable law. Unanet has no obligation to monitor the compliance of Customer’s use of the Services with Applicable Law, though Unanet will promptly inform Customer if, in Unanet’s opinion, an instruction from Customer infringes applicable law. The Unanet Cloud Terms & Conditions, including this DPA, along with Customer’s configuration of any settings or options in the Services (as Customer may be able to modify from time to time), constitute Customer’s complete and final instructions to Unanet regarding the Processing of Personal Data, including for purposes of the Standard Contractual Clauses.    Without limiting the foregoing: 
      1. Unanet will not Process the Personal Data in a manner inconsistent with Unanet’s role as Customer’s “Service Provider,” as such term is defined in the CCPA.
      2. Unanet will not “sell” the Personal Data, as such term is defined in the CCPA.
      3. Unanet hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.
    3. Confidentiality.  Unanet will restrict access to Personal Data to those authorized persons who need such information to provide the Services. Unanet will ensure such authorized persons are obligated to maintain the confidentiality of any Personal Data.  
    4. Security.  Unanet will implement appropriate technical and organizational measures to ensure a level of security appropriate to the Personal Data provided by Customer and Processed by Unanet. 
    5. Subprocessors.  Customer agrees that Unanet may engage other Processors (“Subprocessors”) to assist in providing the Services consistent with the Unanet Cloud Terms & Conditions. Unanet will maintain a list of such Subprocessors and make it available to Customer upon request. Customer will have 10 calendar days from the date of such notification to object to Unanet’s use of new Subprocessors, after which time Customer will have been deemed to accept Unanet’s list of Subprocessors. Customer’s objection will be effective only if it articulates objective, justifiable reasons why it believes new Subprocessors are not able to adequately protect Personal Data in accordance with the Unanet Cloud Terms & Conditions, this DPA, or applicable data protection law. Where Unanet engages a Subprocessor for carrying out specific Processing activities on behalf of Customer, Unanet will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on Unanet under this DPA.  Where that Subprocessor fails to fulfill its data protection obligations, Unanet will remain liable to Customer for the performance of that Subprocessor’s obligations.
    6. Data Subject Requests.  To the extent legally permitted, Unanet shall promptly notify Customer if Unanet receives any requests from an individual seeking to exercise any rights afforded to them under Applicable Law regarding Personal Data.  Unanet has implemented and will maintain appropriate technical and organizational measures needed to enable Customer to respond to requests from data subjects to access, correct, transmit, limit processing of, or delete any relevant Personal Data held by Unanet.  
    7. Recordkeeping.  Upon a request issued by a supervisory authority for records regarding Personal Data, Unanet will cooperate to provide the supervisory authority with records related to Processing activities performed on Customer’s behalf. To the extent legally permissible, Unanet will inform Customer in writing of such a request and partner with Customer working in good faith to verify the legal basis of the request. 
    8. Cooperation.  Unanet will cooperate to the extent reasonably necessary in connection with Customer’s requests related to any legally required data protection impact assessments and consultation with supervisory authorities. 
    9. Third Party Requests.  If Unanet receives a request from a third party in connection with any government investigation or court proceeding that Unanet believes would require it to produce any Personal Data processed pursuant to the Unanet Cloud Terms & Conditions, Unanet will inform Customer in writing of such request and cooperate with Customer if Customer wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable law.
    10. Transfer of Personal Data; Appointment.  Customer authorizes Unanet to transfer, store or Process Personal Data in the United States or any other country in which Unanet or its Subprocessors maintain facilities. Customer appoints Unanet to perform any such transfer of Personal Data to any such country and to store and Process Personal Data in order to provide the Services.  Unanet will conduct all such activity in compliance with the Unanet Cloud Terms & Conditions, this DPA, applicable law and Customer’s instructions.
    11. Data Transfers Outside of the EU, UK, or Switzerland.
      To the extent that the Services involve a transfer of Personal Data originating from either party’s systems in the United Kingdom (UK), EEA or Switzerland to either party’s systems located in countries outside the UK, EEA, or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national EEA data protection authority, such transfers are subject to applicable data transfer mechanisms.

       

      (a) If Customer is located in the United Kingdom and, transfers Personal Data to Unanet in the United States and such transfer is governed by UK data protection law (and not the law in the EEA) and where such law permits use of the 2010 Standard Contractual Clauses but does not permit use of the 2021 Standard Contractual Clauses, for such transfer the Parties agree to be bound by the 2010 Standard Contractual Clauses. If there is a conflict between the 2010 Standard Contractual Clauses and the Unanet Cloud Terms & Conditions, the 2010 Standard Contractual Clauses will prevail.  For purposes of the 2010 Standard Contractual Clauses:

      1. The clauses shall be governed by the laws of the jurisdiction from which the data is exported.
      2. Customer is the “Data Exporter” and Unanet is the “Data Importer”.
      3. The data subjects include Customer’s employees, independent contractors, or other end users.
      4. The purpose of the transfer is to allow Unanet to provide the Services outlined in the Unanet Cloud Terms & Conditions.
      5. The categories of Personal Data include names, email addresses, IP addresses, and other personally identifiable information and contact details, as determined by the customer.
      6. The recipients of the Personal Data include Unanet employees with a need to Process the Personal Data.
      7. Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Unanet Cloud Terms & Conditions.

      (b) To the extent legally required and when a legal derogration or a data transfer framework does not apply, with respect to Personal Data transferred from the EEA and Switzerland, the parties are deemed to have signed the 2021 Standard Contractual Clauses, which form part of this DPA and will be deemed completed as follows:

      1. Customer acts as exporter and controller and Unanet acts as processor and importer.  Module 2 of the 2021 Standard Contractual Clauses applies to transfers of Personal Data from Customer to Unanet;
      2. Clause 7 (the optional docking clause) is not included;
      3. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). A list of sub-processors shall be available upon request. Unanet shall update that list and provide notice to Customer of any intended additions or replacements of sub-processors by providing a notice on its website.
      4. Under Clause 11, the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply;
      5. Under Clause 17, the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights): The Parties select the laws of Ireland;
      6. Under Clause 18, the parties select the courts of Ireland;
      7. With respect to transfers of Personal Data that are subject to the Switzerland Federal Act on Data Protection (“FADP”), the 2021 Standard Contractual Clauses:

      References to the GDPR are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR. 
      The term “member state” shall not be interpreted to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
      References to personal data in the 2021 Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
      Under Annex I(C): Where the transfer is subject in whole or part to the FADP, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP.
      vii. To the extent applicable, Annex IA shall be completed with the parties set forth in the Order Form between Unanet and its Customer and shall be deemed executed by the parties upon execution of the Order Form.  Annex IB, and II of the 2021 Standard Contractual Clauses are set forth below:

      • The data subjects include Customer’s employees, independent contractors, or other end users.
      • The categories of Personal Data include names, email addresses, IP addresses, and other personally identifiable information and contact details, as determined by the customer.
        • Sensitive Data: None anticipated, but the Services do not impose a technical restriction on the categories of Personal Data above provided through the Services.
      • The purpose of the transfer is to allow Unanet to provide the Services outlined in the Unanet Cloud Terms & Conditions.
      • The frequency of the transfer is on a continuous basis to provide the Services outlined in the Unanet Cloud Terms & Conditions.
      • Nature of the processing: The nature of the Processing is as forth in the Unanet Cloud Terms & Conditions.
      • Purpose(s) of the data transfer and further processing is as set forth in the Unanet Cloud Terms & Conditions.
      • The period for which the personal data will be retained, is for the time period needed to accomplish the purposes of processing, unless otherwise required by applicable law.
      • Transfers to subprocessors are for the same purposes as transfers to the processor.
      • The identity of competent supervisory authority/ies in accordance with Clause 13: shall be Ireland Data Protection Commissioner.
      • Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Unanet Cloud Terms & Conditions and at https://unanet.com/support/unanet-cloud-solution/.
    12. Deletion or Return.  At the choice of Customer, Unanet will delete or return all the Personal Data Processed in connection with the Services to Customer at any time or after the end of the provision of such Services and delete existing copies unless applicable law requires storage of the Personal Data. Unanet will relay Customer’s instructions to all Subprocessors. Notwithstanding the foregoing, this provision will not require Unanet to delete Personal Data from archival and back-up files except as provided by Unanet’s internal data deletion practices and as required by applicable law.
    13. Breach Notification.  Unanet will comply with the Personal Data Breach-related obligations directly applicable to it under applicable law. After becoming aware of a Personal Data Breach related to the Personal Data processed under the Unanet Cloud Terms & Conditions, Unanet will notify Customer without undue delay, to the extent known, of: (a) the nature of the data breach; (b) the number and categories of data subjects and data records affected; and (c) the name and contact details for the relevant contact person at Unanet. Unanet will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for notification applicable to Customer and fulfilling any third-party notification obligations related to any Customer Personal Data Breach. Nothing shall be construed to require Unanet to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.
    14. Audits.  No more than once annually (unless otherwise required by applicable law), Unanet shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, to demonstrate Unanet’s compliance with this DPA or Article 28 of the GDPR. For clarity, such audits or inspections are limited to Unanet’s Processing of Personal Data subject to the GDPR on behalf of Customer only, not any other aspect of Unanet’s business or information systems or other customers. If Customer requires Unanet to contribute to audits or inspections that are necessary to demonstrate compliance, Customer will provide Unanet with written notice at least 60 days in advance of such audit or inspection. Such written notice will specify the things, people, places or documents to be made available. Such written notice, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered Confidential Information and, notwithstanding anything to the contrary in the Unanet Cloud Terms & Conditions, will remain Confidential Information in perpetuity or the longest time allowable by applicable law after termination of the Unanet Cloud Terms & Conditions. Such materials and derivative work product produced in response to Customer’s request will not be disclosed to anyone without the prior written permission of Unanet unless such disclosure is required by applicable law. If disclosure is required by applicable law, Customer will give Unanet prompt written notice of that requirement and an opportunity to obtain a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or order of a court or governmental agency. Customer will make every effort to cooperate with Unanet to schedule audits or inspections at times that are convenient to Unanet. To the extent Customer uses a third-party representative to conduct the Audit, Customer shall ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this Unanet Cloud Terms & Conditions. If, after reviewing Unanet’s response to Customer’s audit or inspection request, Customer requires additional audits or inspections, Customer acknowledges and agrees that it will be solely responsible for all costs incurred in relation to such additional audits or inspections.