Data Processing Agreement
Last Updated: 22 May, 2025
This Data Processing Agreement with its appendices (together “DPA”) forms an integral part of and is incorporated into the Torq Master Service Agreement, or other mutually executed written agreement that references this DPA, in place between Torq and the entity entering into the Agreement (“Customer”), covering Customer’s use of Torq Services (“Agreement”). Torq reserves the right to modify this DPA by providing Customer advance written notice (in the event of a material change) or by updating the terms on Torq’s website. Customer’s use of the Services after the implementation of said change will be deemed as acceptance by Customer of said change.
Capitalized terms used below which are not defined herein will have the meaning set forth in the Agreement, or the meaning of such equivalent or similar term set forth in the Agreement. In the event of a conflict with the terms of the Agreement and this DPA, this DPA will take precedence to the extent required to resolve such conflict.
- DEFINITIONS
- PROCESSING OF PERSONAL DATA
- Roles of the Parties. The parties acknowledge and agree that with regards to the Processing of Personal Data: (a) Customer is the Data Controller and/or Data Processor, and/or (b) Torq is the Data Processor and/or Sub-processor.
- Details of Processing. Details relating to the nature and purposes, and duration of the Processing, as well as the categories of Data Subjects and types of Personal Data Processed are specified in Appendix 1 (Details of the Processing). The parties agree that Appendix 1 shall satisfy any requirement under applicable Data Protection Laws and Regulations to provide details regarding the nature of the Processing activities related to Customer’s Personal Data.
- Customer’s Obligations. Customer shall comply with the Data Protection Laws and Regulations, the Agreement and this DPA when acting as a Data Controller or Data Processor, including without limitation when providing Instructions to Torq for the Processing of Personal Data. Customer shall have sole responsibility for the means by which Customer acquires Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies), and shall have any and all required legal bases in order to collect, Process and transfer to Torq the Personal Data, and to authorize the Processing by Torq of the Personal Data under this DPA.
- Torq’s Processing of Personal Data. Torq shall Process Personal Data on behalf of Customer as necessary to provide the Services for the purposes specified in the Agreement and this DPA, all in accordance with the Instructions and Data Protection Laws and Regulations. Notwithstanding the foregoing, if Torq is unable to comply with applicable Data Protection Laws and Regulations, Torq agrees to immediately provide written notification to Customer of such inability to comply therewith.
- Customer Instructions. If Torq determines, in its sole judgment, that any Instruction is unlawful and/or that it cannot reasonably be complied with, or if Torq is required under any applicable law to Process Personal Data other than as instructed by Customer, then Torq shall, to the extent permitted by law, inform Customer without undue delay. Torq may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing data). Torq shall not be liable to any third party claim arising from Torq’s acts or omissions carried out in accordance with Customer’s Instructions.
- Sensitive Data. The parties agree that the Services are not intended for the Processing of Sensitive Data, and that if Customer wishes to use the Services to Process Sensitive Data, it must first obtain Torq’s explicit prior written consent and enter into any additional agreements as may be required by Torq.
- ASSISTANCE AND COOPERATION OBLIGATIONS
- Data Subject Rights. If Torq receives a request from a Data Subject to exercise any of its rights under Data Protection Laws and Regulations, Torq shall, to the extent legally permitted, promptly notify Customer and redirect the Data Subject to Customer to enable Customer to respond directly to said request.
- Third Party Requests. Unless prohibited by law, Torq shall promptly notify Customer of any valid and enforceable subpoena, warrant, or court order from any law enforcement or public authority compelling Torq to disclose the Personal Data. Torq shall follow its internal law enforcement guidelines in responding to such bodies. If Torq receives an inquiry or a request for information from any other third party, such as any Supervisory Authority, concerning the Processing of the Personal Data, Torq shall redirect such inquiries to Customer, and shall not provide any information unless required to do so under applicable law.
- Cooperation Obligation. Taking into account the nature of the Processing, Torq shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer’s obligations under applicable Data Protection Laws and Regulations, including with respect to data protection impact assessments and/or consultations with Supervisory Authorities; provided Customer shall, to the extent permitted under Data Protection Laws and Regulations, reimburse Torq for reasonable costs arising from Torq’s assistance, where the assistance exceeds reasonable commercial efforts and resources.
- TORQ PERSONNEL
- SUB-PROCESSORS
- Appointment of Sub-processors. Customer acknowledges and agrees that: (a) Torq’s affiliates may be engaged as Sub-processors; and (b) Torq and Torq’s affiliates may each engage third party Sub-processors in connection with the provision of the Services.
- Current Sub-processors. Torq’s current list of Sub-processors is available here, and is hereby approved by Customer as of the date of execution of this DPA.
- New Sub-processors. Torq shall provide notification to Customer of any new Sub-processor(s) Torq wishes to engage. Customer may reasonably object to Torq’s use of a new Sub-processor for reasons related to the protection of Personal Data intended to be Processed by such Sub-processor by notifying Torq promptly in writing within thirty (30) days after receipt of Torq’s notice. Failure to object to such new Sub-processor within the aforementioned timeframe shall be deemed as acceptance of the new Sub-processor. In the event Customer reasonably objects to a new Sub-processor in accordance with the foregoing, Torq shall use reasonable efforts to replace the Sub-processor or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor. If Torq is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Torq without the use of the objected-to new Sub-processor by providing written notice to Torq, provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Torq. Customer shall have no further claims against Torq due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA as set forth in this Section.
- Agreements with Sub-processors. Torq or any Torq affiliate has entered into a written agreement with each existing Sub-processor and shall enter into a written agreement with each new Sub-processor, containing the same or materially similar data protection obligations as set out in this DPA, and in particular obligations to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the Data Protection Laws and Regulations. Where a Sub-processor fails to fulfil its data protection obligations concerning its Processing of Personal Data, Torq shall remain responsible to Customer for the performance of the Sub-processor’s obligations.
- Third Party Services. Any Processing of Personal Data by any third party service which Customer chooses to use in connection with the Services, shall be governed solely by the terms and privacy policies applicable to such third party service, and Torq shall not be responsible for such Processing. For clarity, providers of third party services shall not be deemed Sub-processors for any purpose under this DPA.
- SECURITY
- PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION
- THIRD-PARTY CERTIFICATIONS AND AUDITS
- Audit Reports and Certifications. Upon request, Torq shall supply a confidential summary copy of relevant audit reports to Customer to allow Customer to verify Torq’s compliance with its obligations under this DPA and the audit standards against which it has been assessed. If Customer cannot reasonably verify Torq’s compliance with this DPA, Torq shall provide written responses to any reasonable request by Customer for additional information regarding its Processing activities under this DPA, provided that such right may only be exercised once annually during term of the Agreement.
- On-site Audits. To the extent Customer cannot reasonably verify Torq’s compliance with this DPA pursuant to Section 8.1 above, or where required under applicable Data Protection Laws and Regulations, Customer may, no more than once annually during the term of the Agreement, and subject to providing Torq reasonable written notice of any audit, at least thirty (30) days in advance, conduct on-site audits to assess Torq’s compliance with the terms of this DPA, at Customer’s expense. Customer acknowledges that Torq has a multi-tenant cloud environment and that any on-site audit shall be limited to Torq’s corporate headquarters or any other mutually-agreed upon Torq location. Audits shall be conducted during Torq’s regular business hours and shall not impact Torq’s Services or business operations. Audits may be conducted by Customer’s personnel or another third party auditor mandated by Customer (provided that such auditor is not a competitor of Torq), subject to adequate confidentiality undertakings and provided that such audits shall be restricted to information relevant to Customer’s use of the Services under the Agreement.
- RETURN AND DELETION OF PERSONAL DATA
- DATA TRANSFERS
- Transfers to Adequate Countries. Personal Data may be transferred from the European Union Member States, the three European Economic Area member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), the United Kingdom and Switzerland to countries that offer an adequate level of data protection pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States, the UK and Switzerland, as applicable (“Adequacy Decisions”), without any further safeguards being necessary.
- Transfers outside of EEA. Where Personal Data protected by the EU GDPR is transferred to a country outside of the EEA that is not subject to an Adequacy Decision, the parties hereby enter into the EU SCCs as further set out in Appendix 2, which EU SCCs are hereby incorporated by reference and deemed an integral part hereof. To the extent that there is any conflict or inconsistency between the terms of the EU SCCs and the terms of this DPA, the terms of the EU SCCs shall take precedence.
- Transfers outside of the UK. Where Personal Data protected by the UK GDPR is transferred to a country outside of the United Kingdom that is not subject to an Adequacy Decision, the parties hereby enter into the UK IDTA as further set out in Appendix 2, which UK IDTA are hereby incorporated by reference and deemed an integral part hereof. To the extent that there is any conflict or inconsistency between the terms of the UK IDTA and the terms of this DPA, the terms of the UK IDTA shall take precedence.
- Transfers outside of Switzerland. Where Personal Data protected by the Swiss FADP is transferred to a country outside of Switzerland that is not subject to an Adequacy Decision, the parties hereby enter into the Swiss SCCs as further set out in Appendix 2, which Swiss SCCs are hereby incorporated by reference and deemed an integral part hereof. To the extent that there is any conflict or inconsistency between the terms of the Swiss SCCs and the terms of this DPA, the terms of the Swiss SCCs shall take precedence.
- US DATA PROTECTION LAWS
The terms “Data Controller“, “Data Processor”, “Data Subject”, “Member State“, “Processing” and “Supervisory Authority” shall have the meanings as provided under the applicable Data Protection Laws and Regulations. For the purposes of clarity, to the extent that the CCPA applies, the terms “Data Controller”, “Data Processor” and “Data Subject” used in this DPA shall mean “Business”, “Service Provider” and “Consumer” respectively, all as defined under the CCPA.
“Data Protection Laws and Regulations” means all national, federal or state laws and regulations applicable to the Processing of Personal Data under the Agreement, including the EU GDPR, UK GDPR, Swiss FADP, Israeli Data Protection Laws, and US Data Protection Laws.
“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as may be amended or superseded from time to time.
“Instructions” means the written, documented instructions issued by Customer to Torq directing Torq to perform a specific or general action regarding Personal Data (including, but not limited to, instructions to provide the Services under the Agreement and instructions under this DPA).
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person, which is Processed by Torq solely on behalf of Customer under the Agreement and this DPA.
“Security Documentation” means Torq’s security documentation applicable to the Services purchased by Customer, as updated by Torq from time to time, as made available at Torq’s Trust Centre.
“Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws and Regulations, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) financial or credit information, credit or debit card number; (c) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life or sexual orientation, or data relating to criminal convictions and offences; (d) Personal Data relating to children; and/or (e) account passwords in unhashed form.
“Standard Contractual Clauses” or “SCCs” means, as applicable: (a) in respect of transfers of Personal Data subject to the EU GDPR, the Standard Contractual Clauses between controllers and processors and between processors and processors (as applicable), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes I, II and V thereto (”EU SCCs”); (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (version B.1.0), as incorporated into the EU SCCs through Annex III thereto (“UK IDTA”); and (c) in respect of transfers of Personal Data subject to the Swiss FADP, the EU SCCs as supplemented by the Swiss FADP, as incorporated into the EU SCCs through Annex IV thereto (“Swiss SCCs”).
“Sub-processor” means any third party that is engaged by a Data Processor to carry out specific Processing activities of Personal Data.
“Swiss FADP” means the Swiss Federal Act on Data Protection of 19 June 2022, as revised as of 25 September 2020, and its implementing regulations, as may be amended or superseded from time to time.
“UK GDPR” means the Data Protection Act 2018, as well as the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018, all as may be amended or superseded from time to time.
“US Data Protection Laws” means any US federal or state laws applicable to the Processing of Personal Data under the Agreement, as are already enacted or may be enacted from time to time, including but not limited to the California Consumer Privacy Act of 2018, as modified by the California Privacy Rights Act of 2020 (“CCPA”).
Torq shall grant persons under its authority (including, without limitation, its personnel) access to the Personal Data on a “need-to-know” basis only, and shall ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality.
Taking into account the state of the art, Torq shall maintain all industry-standard technical and organizational measures required pursuant to applicable Data Protection Laws and Regulations for protection of Personal Data to ensure lawful Processing of Personal Data and to safeguard the Personal Data from unlawful or accidental destruction, loss, alteration, or unauthorized disclosure or access, all as set forth the Security Documentation. Customer acknowledges that the aforementioned technical and organizational measures are subject to technical progress and review and that Torq may update and/or modify such measures from time to time, provided however that such updates and/or modifications do not materially diminish the existing measures in place as of the Effective Date.
To the extent required under applicable Data Protection Laws and Regulations, Torq shall notify Customer without undue delay after becoming aware of any actual or reasonably suspected unlawful or accidental destruction, loss, alteration, or unauthorized disclosure of or access to Personal Data Processed by Torq on behalf of Customer (“Personal Data Incident”). Torq shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Torq deems necessary, possible and reasonable in order to remediate the cause of such Personal Data Incident to the extent the remediation is within Torq’s reasonable control. Upon Customer’s request and taking into account the nature of the Processing and the information available to Torq, Torq shall assist Customer by providing information reasonably necessary for Customer to meet its Personal Data Incident notification obligations under applicable Data Protection Laws and Regulations; it being clarified that Customer shall at all times be the party responsible for notifying any Supervisory Authority and/or concerned Data Subjects with respect to the Personal Data Incident, unless otherwise agreed in writing by the parties. It is hereby clarified that: (a) Torq’s notification to Customer of a Personal Data Incident as set forth in this Section shall not be deemed an acknowledgment by Torq of any fault or liability; and (b) the remediation obligations herein shall no longer apply if it is subsequently determined that such Personal Data Incident was caused by Customer or any Permitted User.
Subject to the Agreement and Torq’s data retention policies, Torq shall, at Customer’s election, delete or return the Personal Data to Customer during and/or at the end of the provision of the Services, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent allowed by applicable law, Torq may retain a copy of the Personal Data for evidentiary purposes, for the establishment, exercise or defense of legal claims and/or otherwise to comply with applicable laws and regulations. If Customer requests the Personal Data to be returned, Personal Data shall be returned in the format generally available for Torq’s customers.
If Torq transfers, either directly or via onward transfers, Personal Data protected by the EU GDPR, the UK GDPR and/or the Swiss FADP, the following shall apply:
If Personal Data Processed under this DPA is subject to US Data Protection Laws, the terms outlined under Appendix 3 shall apply, which shall supplement the terms of this DPA.
APPENDIX 1 – DETAILS OF THE PROCESSING
- Subject Matter. Torq will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
- Nature and Purpose of Processing. Torq will Process the Personal Data in order to provide the Services to Customer, all as agreed by the parties under the Agreement. Torq will use Personal Data in compliance with Customer’s Instructions, and any applicable laws to which Torq is subject.
- Duration of Processing. Torq will Process Personal Data for the duration of the provision of the Services as set forth in the Agreement, unless otherwise agreed upon in writing.
- Categories of Data Subjects. The categories of data subjects relating to the Personal Data that will be Processed by Torq are dependent on Customer, and may include the following categories:
- Users authorized by Customer to access and use the Services;
- Customer’s employees, agents, advisors and freelancers;
- Customer’s customers, prospects, business partners and vendors, and any of their respective employees; and
- Any other third party individual whose Personal Data is provided by the Customer in connection with its use of the Services.
- Type of Personal Data. When setting up a user account and using the Services to hyperautomate and manage security processes and cases, Customer may submit different types of Personal Data to the Services for Processing by Torq. The types of Personal Data Processed by Torq will be determined by Customer at its sole discretion depending how Customer chooses to use the Services, but may include the following: full name, email address, avatar, account age, IP address, browser cookie/tag data, geographical data (imprecise), unique personal identifier.
APPENDIX 2 – STANDARD CONTRACTUAL CLAUSES
EU SCCs
The EU SCCs are hereby incorporated into this DPA by reference as follows:
- Module 2 (Controller-to-Processor) and/or Module 3 (Processor-to-Processor) (as applicable) of the EU SCCs will apply, with respect to restricted transfers between Customer and Torq that are subject to the EU GDPR. The parties agree that Customer is the “data exporter” and Torq is the “data importer” and the following shall apply: (a) Clause 7 shall apply; (b) in Clause 9, option 2 shall apply and the method for changing Sub-processors is described in Section 5 of the DPA (Sub-processors); (c) in Clause 11, the optional language shall be not applicable; (d) in Clause 13, the relevant option applicable to Customer, as informed by Customer to Torq; (e) in Clause 17, option 1 shall apply, and the parties agree that the EU SCCs shall be governed by the laws of Ireland; and (f) in Clause 18(b), the parties choose the courts of Ireland, as their choice of forum and jurisdiction.
- The Appendix of EU SCCs shall be populated as follows:
- Annex I.A (List of Parties): With respect to Module Two: (i) Data Exporter is Customer as a data controller and (ii) the Data Importer is Torq as a data processor. With respect to Module Three: (i) Data Exporter is Customer as a data processor and (ii) the Data Importer is Torq as a data processor (sub-processor). Data Exporter and Data Importer contact details (name, address and contact details) shall be as detailed in the preamble of the DPA. Activities relevant to the data transferred under these clauses shall be as specified in Appendix 1 of the DPA. Signature and Date: By entering into the Agreement and this DPA, each party is deemed to have signed these EU SCCs incorporated herein, including their Annexes, as of the Effective Date of the DPA.
- Annex I.B (Description of Transfer) shall be completed as described in Appendix 1 (Details of the Processing) of this DPA.
- Annex I.C(Competent Supervisory Authority) shall be the Irish supervisory authority.
- Annex II(Technical and organisational measures including technical and organisational measures to ensure the security of the data) shall be completed as described in the Security Documentation.
- Annex IIIAnnex III (List of Sub-processors) shall be completed as detailed here.
UK ADDENDUM
The UK IDTA is hereby incorporated into this DPA by reference as follows:
- Table 1 shall be as set out in Annex I.A of the EU SCCs (List of Parties).
- Table 2 shall be completed as follows: Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor) (as applicable) of the EU SCCs will apply, with respect to restricted transfers between Customer and Torq that are subject to the UK GDPR. The parties agree Customer is the “data exporter” and Torq is the “data importer” and the following shall apply: (a) Clause 7 shall apply; (b) in Clause 9, option 2 shall apply and the method for changing Sub-processors is described in Section 5 of the DPA (Sub-processors); (c) in Clause 11, the optional language shall be not applicable; (d) in Clause 13, the relevant option applicable to Customer, as informed by Customer to Torq; (e) in Clause 17, option 1 shall apply, and the parties agree that the governing law shall be the laws of England and Wales; and (f) in Clause 18(b), the parties choose the courts of England and Wales, as their choice of forum and jurisdiction.
- Table 3:
- Annex I.A (List of Parties): With respect to Module Two: (i) Data Exporter is Customer as a data controller and (ii) the Data Importer is Torq as a data processor. With respect to Module Three: (i) Data Exporter is Customer as a data processor and (ii) the Data Importer is Torq as a data processor (sub-processor). Data Exporter and Data Importer contact details (name, address and contact details) shall be as detailed in the preamble of the DPA. Activities relevant to the data transferred under these clauses shall be as specified in Appendix 1 of the DPA. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed this UK IDTA incorporated herein, including their Annexes, as of the Effective Date of the DPA.
- Annex I.B (Description of Transfer) shall be completed as described in Appendix 1 (Details of the Processing) of this DPA.
- Annex II (Technical and organisational measures including technical and organisational measures to ensure the security of the data) shall be completed as described in the Security Documentation.
- Annex III (List of Sub processors) shall be completed with the authorized sub-processors detailed here.
- Table 4: Both the data importer and data exporter may end the UK IDTA.
SWISS SCCs
The Swiss SCCs are hereby incorporated into this DPA by reference as follows:
- The EU SCCs shall apply with the amendments set forth in this Section.
- References in the EU SCCs to the terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” shall be interpreted to include the Swiss FADP.
- References in the EU SCCs to Regulation (EU) 2018/1725 shall be removed.
- References in the EU SCCs to “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
- Where transfers are exclusively subject to the Swiss FADP, all references in the EU SCCs to the GDPR are to be understood to be references to the Swiss FADP.
- Where transfers are subject to both the Swiss FADP and the EU GDPR, all references in the EU SCCs to the GDPR are to be understood to be references to the Swiss FADP insofar as the transfers are subject to the Swiss FADP.
- The Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for transfers exclusively subject to the FADP.
- Any transfer subject to both the GDPR and Swiss FADP shall be dealt with by the EU Supervisory Authority named in the “EU SCCs” section above.
ADDITIONAL SAFEGUARDS
In the event of any transfer where the EU SCCs, the IDTA or Swiss SCCs apply, the parties agree to supplement these Standard Contractual Clauses with the following safeguards and representations, as appropriate:
- Torq shall have in place and maintain in accordance with generally-accepted industry practice, measures to protect the Personal Data from interception (including in transit from Customer to Torq and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data, and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
- Torq shall make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the EU GDPR, UK GDPR, or Swiss FADP, including under Section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”).
- If Torq becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Torq shall:
- inform the relevant government authority that Torq is a processor of Personal Data and that Customer has not authorized Torq to disclose Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to Personal Data should therefore be notified to or served upon Customer in writing; and
- use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under Torq’s control. Notwithstanding this: (a) Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access; and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, Torq reasonably believes in good faith that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection 3.2 shall not apply. In such an event, Torq shall notify Customer as soon as possible following the access by the government authority and provide Customer with relevant details of the same, unless and to the extent legally prohibited to do so.
- Once during every twelve (12) month period, Torq shall, upon Customer’s written request, provide details of the types of binding legal demands for Personal Data it has received but solely to the extent such demands have been received, including national security orders and directives which shall encompass any process issued under Section 702 of FISA.
APPENDIX 3 – US-SPECIFIC TERMS
The following terms apply where Torq Processes Personal Data subject to the US Data Protection Laws:
- Torq shall Process Personal Data as a Service Provider on behalf of Customer in accordance with the US Data Protection Laws, including by providing the same level of privacy protection as required by US Data Protection Laws. Torq shall not:
- retain, use, disclose or otherwise Process such Personal Data for a commercial purpose other than for the limited and specified purposes identified in the Agreement and/or this DPA, or as otherwise permitted under US Data Protection Laws;
- Sell or Share such Personal Data (as such terms are defined in US Data Protection Laws), without Customer’s prior written authorization;
- retain, use, disclose or otherwise Process such Personal Data outside the direct business relationship with Customer; and
- combine such Personal Data with personal information that it receives from other sources, except as permitted under US Data Protection Laws.
- Torq shall use commercially reasonable efforts to inform Customer if it determines that it can no longer meet any material obligation under US Data Protection Laws within the timeframe specified by such laws. Upon written Customer’s notice, Torq shall use commercial reasonable and appropriate steps to remediate Torq’s alleged unauthorized use of Personal Data, provided that Customer shall explain and demonstrate in said written notice which processing activity of Personal Data it considers to be unauthorized and the applicable reasons.
- To the extent Customer discloses or otherwise makes available de-identified data to Torq or to the extent Torq creates de-identified data from the Personal Data, in each case in its capacity as a Service Provider, Torq shall:
- adopt reasonable measures to prevent such de-identified data from being used to infer information about, or otherwise being linked to, a particular natural person or household;
- publicly commit to maintain and use such de-identified data in a de-identified form and to not attempt to re-identify the de-identified data, except that Torq may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with the US Data Protection Laws; and
- before sharing de-identified data with any other party, including Sub-processors, contractually obligate any such Recipients to comply with all requirements of this Section 3 (including imposing this requirement on any further recipients).