ParsePort’s Data Processing Agreement – v.Nov.2023
Last updated November 2023
1. THE PARTIES
This agreement shall exclusively apply in relation to the processing of Personal Data processed by the Supplier in connection with the Supplier’s provision of the Products and Services to the Customer. Products and Services are defined in the applicable Order and Schedule(s). This Data Processing Agreement is entered into between the Supplier hereby as the “Data Processor” (and/or also as “ParsePort”, “Supplier”, “we”, “our”, “us”. etc.) and the Customer hereby as “Data Controller” (and/or also as “Customer”, “you”, “your”, etc.), both already qualified in the Service License Agreement, and replaces any previous versions signed between the Parties.
2. DEFINITIONS
2.1. Terms and expressions with capital first letters used in the Data Processing Agreement shall have the meaning set out in the Agreement, especially in this Clause 2 and/or in the GDPR.
2.2. “Confidential Information” shall have the same meaning as defined in the General License Terms.
2.3. “Customer”, “you”, yours”, etc. shall mean a user or subscriber of Products and Services provided by Data Processor.
2.4. “Data Subject” shall mean the identified or identifiable natural person to whom Personal Data refers.
2.5. “Data Processor” means the Supplier and/or a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
2.6. “Data Controller” means the Customer and/or natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2.7. “GDPR” shall mean the General Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data). In Denmark, GDPR is supplemented by the Act on supplementary provisions to the regulation on the protection of natural persons regarding the processing of personal data and on the free movement of such data (Act No. 502 of 23 May 2018 as amended from time to time) (the “Data Protection Act”). Under the Data Processing Agreement, a reference to GDPR shall also be a reference to the Data Protection Act.
2.8. “Parties” shall mean the Data Controller and Data Processor jointly and each a “Party”.
2.9. “Personal Data” shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Categories of Personal Data processed by the Data Processor under the Data Processing Agreement are set out in Appendix 1 to the Data Processing Agreement.
2.10. “Pre-Approved Subcontractors” shall be our Subcontractors and Third Parties listed in Supplier’s website https://parseport.com/legal/DPAsubcontractors/ , which is approved by Customer upon this Agreement’s Effective Date.
2.11. “Privacy Policy” shall mean our Privacy Policy as updated from time to time. The current, applicable Privacy Policy is available on our website here: https://parseport.com/parseport-made-xbrl-simple/cookies-and-privacy-policy/.
2.12. “Products and Services” shall mean all products and services rendered to you by us, specified in the applicable Order and Schedule(s) or not.
2.13. “Software” shall mean the XBRL Converter, as defined in the General License Terms and the Schedule(s).
2.14. “Subcontractor” shall mean a Third Party who performs work or provides a service to the Supplier under a bilateral contract, meaning under a written contract negotiated between its parties. To be considered Subcontractor for the purposes of the Agreement, the service provided by such Subcontractor must be part of the Services provided by the Supplier to the Customer.
2.15. “Third Party” shall mean a natural or legal person, public authority, agency, or body other than the Data Subject, the Data Processor, the Customer, and persons who process or is part of the processing of the Customer’s Personal Data for the purposes of the Agreement and the Supplier’s provision of the Products and Services to the Customer.
3. SCOPE
3.1. The Data Processing Agreement concerns the Parties’ obligations related to our processing of Personal Data for the Customer in connection to the Customer’s use of our Products and Services.
3.2. Under the Data Processing Agreement, the Customer shall decide for what purpose and by use of what tools Personal Data may be processed.
3.3. The Data Processing Agreement shall apply to all the Data Processor’s Products and Services to all companies within Customer’s group of companies, for whom we process Personal Data.
3.4. The categories of Personal Data processed by us under the Data Processing Agreement are set out in Appendix 1 to the Data Processing Agreement.
4. ORDER OF PRECEDENCE
4.1. The Data Processing Agreement forms part of the Agreement or Service Agreement. In case of any inconsistencies between the Data Processing Agreement and the General License Terms or the Service Agreement, the Data Processing Agreement shall prevail, unless otherwise agreed by the Parties in the applicable Order.
5. AUTHORISATION TO PROCESS PERSONAL DATA
5.1. By entering into the Data Processing Agreement, we are instructed and authorized by you to process Personal Data on your behalf for the purpose of providing our Products and Services to you and according to the GDPR and the terms of this Agreement.
5.2. The Customer hereby authorizes the Supplier to: (i) store contact information (name and work email) from the Customer’s contact persons to create a login to the online portal and track log purposes (cloud-based Software) and, (ii) process the personal data contained in Customer’s annual report (if any) for the exclusive purpose of providing the Services to the Customer.
5.3. No data uploaded to the Software will be stored by the Supplier’s Software, all data is automatically erased right after fifteen minutes of its upload to the Software. We do not process Personal Data on your behalf unless they are need in connection to your use of our Software or the provision of our Products and Services.
5.4 The Supplier’s Processing of Personal Data is done in accordance with this Agreement and the GDPR, including applicable Danish legislation issued according to the GDPR or as a supplement hereto.
5.5. We are not entitled to make use of Personal Data provided by you, for purposes other than fulfilment of the Data Processing Agreement and the Services. However, we are entitled to use anonymized data (that can no longer be categorized as “Personal Data”) for historical, statistical, scientific, or similar purposes.
6. STORAGE OF PERSONAL DATA AND TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
6.1. As a main rule, ParsePort’s operations are done within EU/EEA. However, Subcontractors may be located or process Personal Data outside the EU/EEA, including e.g., the US. Customer has provided its consent to Data Processor’s use of the Pre-Approved Subcontractors and Third Parties listed in Suppliers website: https://parseport.com/legal/DPAsubcontractors/.
6.2. Further information on our storage of Personal Data and use of Subcontractors can be found in our Privacy Policy, which the Customer represents to have read and agreed to it.
6.3. Before transferring Personal Data to a third country or an international organization outside the EU/EEA, Data Processor will ensure that the transfer is in accordance with rules on transfers of personal data to third countries or international organizations according to the GDPR.
6.4. We will also ensure that any sub-processing agreements between Data Processor and Pre-Approved Subcontractors outside the EU or EEA have adequate level of protection of the Personal Data and if necessary, entered pursuant to the EU Commission’s decision of 2021/914/EU regarding the standard model contract for transfer of personal data to countries outside the EU or EEA in addition to any permission from data protection authorities if legally required.
7. CONFIDENTIALITY OF PERSONAL DATA
7.1. The Parties agree, both for the duration of the Data Processing Agreement and subsequently that Personal Data shall be considered and treated as Confidential Information and so not disclosed to a third party without previous written authorization. This non-disclosure obligation shall not apply to information which (a) a Party is obliged to disclose under applicable law, regulations, or stock exchange rules (b) information provided to the client of the Customer if such information originates from or regards such client of the Customer, (d) information that is publicly available, and/or was made public without breaching this Agreement and/or (d) information which a Party document has been created by the Party itself.
7.2. The Parties shall ensure that employees and third parties who receive Confidential Information are obliged to accept a similar obligation regarding Confidential Information from the other Party and the cooperation in general in accordance with the Data Processing Agreement.
7.3. We will ensure that all people employed by us and or employed by a company from our group of companies with access to Personal Data are familiar with the Data Processing Agreement and are subject to the provisions of the Data Processing Agreement.
8. APPROPRIATE TECHNICAL AND ORGANISATIONAL MEASURES
8.1. The Data Processor assists the Customer in ensuring compliance with the obligations pursuant to Article 32 to 36 of the GDPR considering the nature of processing and the information available to the Data Processor.
8.2 The Data Processor must, taking the risks related to the processing of Personal Data for the Customer into consideration, implement appropriate and reasonable technical and organizational measures to ensure a level of security that matches the risks of our data processing of Personal Data under the Data Processing Agreement, including reasonably ensuring (a) pseudonymization and encryption of Personal Data; (b) continuous confidentiality, integrity, availability and robustness of the processing systems and services for which the Data Processor is responsible; (c) timely recovery of the availability of and access to Personal Data in case of a physical or technical incident; (d) a procedure for regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure processing security; (e) that Personal Data is not accidentally or unlawfully destroyed, lost or impaired and against any unauthorized disclosure, abuse or in any other way is processed in violation of any applicable law on Personal Data.
8.3. The Customer shall determine the appropriate level of technical and organizational measures. However, Data Processor shall, upon prior written request from the Customer and within reasonable time-limits from such a request, provide the Customer with sufficient information to document that the abovementioned technical and organizational security measures have been taken.
9. DATA SUBJECTS’ RIGHTS
9.1. The Data Processor shall upon request from the Customer, at the cost of the Customer and without undue delay provide all reasonable assistance and information to the Customer related to request from Data Subjects concerning the Data Processor’s processing of Personal Data for the Customer. Reasonable requests related to exercising of the Data Subjects’ rights according to the GDPR and to the extent it is permitted by GDPR will be resolved free of charge by the Supplier.
9.2. Data Processor’s fees for assistance to the Customer is regulated in Clause 14.
10. DATA SECURITY BREACH
10.1. In case of a Data Security Breach for which the Data Processor (or any Pre-Approved Subcontractor) is responsible, the Data Processor shall inform the Customer hereof without undue delay and assist in what it is needed to stop the breach and minimize its effects including communication of the breach to data subjects.
11. USE OF SUBCONTRACTORS
11.1. The Customer acknowledges and authorizes the Supplier’s use of the Pre-Approved Subcontractors and Third Parties existing as of the Effective Date and listed in the Supplier’s website: https://parseport.com/legal/DPAsubcontractors/. The Customer hereby gives a general authorization to new or replacement Subcontractors and Third Parties, provided the Supplier notifies the Customer as per clause 11.2 below.
11.2. The Supplier shall notify the Customer, in writing, about modifications made to the Pre-Approved Subcontractors. Upon receiving such notification, the Customer will have fifteen (15) days to reasonably object it. If not objected within fifteen (15) days, the modifications made to the Pre-Approved Subcontractors and notified to the Customer will be considered approved by the Customer and incorporated to the Agreement.
11.3. The Supplier may replace a Subcontractor or a Third Party without advance notice where the reason for the change is outside of the Supplier’s reasonable control and prompt replacement is required for security or other urgent reasons. In this case, the Supplier will inform the Customer of the replacement as soon as possible following its appointment. Clause 11.1 applies accordingly.
11.4 If we use a Subcontractor to carry out specific processing activities on behalf of the Customer, the same data protection obligations as are described in the Data Processing Agreement shall apply to the Subcontractor.
11.5. When we use a Subcontractor to provide the Services to you under the Data Processing Agreement, we remain liable for the Subcontractor’s actions or failures to act/breach on the same terms as for our own services.
11.6. All communication between the Customer and a Subcontractor shall go through the Data Processor.
12. CUSTOMER’S ACCESS TO PERSONAL DATA
12.1. During the term of the Data Processing Agreement, the Customer has full access to any Personal Data being processed by the Data Processor for the Customer. The Customer will not have access to Personal Data processed by Data Processor for other customers.
12.2. If applicable, and the Customer so requests, the Data Processor is obliged to keep a back-up copy of Personal Data and additional information available in the Data Processor’s systems for up to thirty (30) days after the expiry or termination of the Data Processing Agreement. Provided such request has been made, the Customer may, until the expiration of such 30-day period and irrespective of the reason for the expiry of the Data Processing Agreement, request for an access to any Personal Data and additional information recorded in such back-up copy.
12.3. Data Processor may only disclose Personal Data and to the Customer and/or to a third party appointed by the Customer.
13. COOPERATION WITH THE SUPERVISORY AUTHORITY
13.1. The Data Processor must always provide Supervisory Authorities with the necessary access to and insight into the Personal Data which is being processed and the systems used.
13.2. The Customer and the Data Processor and, where applicable, their representatives, shall cooperate, on request, with the Supervisory Authority in the performance of its tasks.
14. ASSISTANCE, COOPERATION AND AUDIT COSTS AND FEES
14.1. For all the assistance and cooperation needed and/or to exercise its right to audit, Data Controller shall notify the Supplier, in writing, with at least ten (10) calendar days in advance, specifying the audit or assistance/cooperation needed, its purpose and the expected duration of the referred assistance or audit. Any expenses that the Supplier might incur when requested to help the Customer to exercise its rights as a Data Controller, including but not limited to the right to audit, review, inspect, to assist the Customer to comply with its obligations as a Data Controller and/or to cooperate with the Customer on the fulfillment of a request from a Supervisory Authority, shall be borne or reimbursed by the Customer.
14.1.1 In order to receive and/or gain access to the Supplier’s premises, non-public documents and sensitive information, the Customer and all third parties must sign the Supplier’s Non-Disclosure Agreement which will be provided by the Supplier upon receiving a request for audit, assistance and/or cooperation from Customer. Customer acknowledges and agrees that no access to premises, non-public documents and/or sensitive information will be provided or granted before the signature of the Supplier’s Non-Disclosure Agreement.
14.2. With the exemptions set forth in Clauses 9 and 14.1-14.4 (subclauses included), costs related to the Data Processor’s obligations under the Data Processing Agreement are included in the fees paid by the Customer to the Supplier for the Customer’s use of the Services.
14.3. Notwithstanding Clause 14.1, we are entitled to charge a fee for our assistance to you in relation to your revision, inspection, or audit of us as the Data Processor. The fee will be charged according to time spent on the Supplier’s current hourly rate.
14.4. We are, in addition to the Products and Services fees and the fee mentioned in clause 14.3 above, entitled to a separate fee, for the following services:
14.4.1. Support to the Customer with answering of requests from Data Subjects when it demands the Supplier to allocate an employee for such requests.
14.4.2. Support to the Customer in connection with Data Protection Impact Assessments (“DPIAs”);
14.4.3. Implementation of special technical or organizational security measures upon the Customer’s request (provided, and only to the extent, that the Data Processor can implement the technical or organizational security measures in question).
14.5. The above-mentioned fees will be charged in accordance with Clause 14.3.
15. LIABILITY
15.1. Subject to the terms of the applicable Order and the General License Terms or to the Service Agreement, the Parties’ liability related to processing of Personal Data under the Data Processing Agreement is regulated in accordance with the GDPR.
15.2. We are not liable for any fines that you receive for breaches of the GDPR whether by ruling, judgment or similar measure by any court, government agency or Supervisory Authority.
15.3. Claims for liability and indemnification, in aggregate, shall in no case, exceed the amount paid by the Customer to the Supplier as a fee for the Products and Services in the first contractual year (or during the first twelve contractual months), excluding any amount paid for requested Paid Support and/or Additional Services.
16. WARRANTY
16.1 By entering into the Data Processing Agreement, the Customer warrants and guarantees that we can lawfully process Personal Data for provision of Services for the Customer. The Customer agrees to hold us harmless from any claim for damages, compensation, or other payments, which we are ordered to pay whether by ruling, judgment or similar measure by any competent court, government agency or supervisory authority, due the Customer’s breach of its obligations according to this clause.
17. EFFECTIVE DATE AND TERMINATION
17.1. The Data Processing Agreement is entered into by your subscription to our Products and Services. The Data Processing Agreement shall therefore enter into force on the Effective Date.
17.2. By subscribing to our Products and Services, and thereby entering into the Data Processing Agreement, you confirm that you are authorized to legally act on behalf of the Customer and commit to terms of the Data Processing Agreement.
17.3. The Data Processing Agreement shall expire on the date of effective termination of the Customer’s use of the Data Processor’s Services. However, the terms of the Data Processing Agreement will apply if the Data Processor is processing Personal Data on behalf of the Customer.
17.4. After the Data Processing Agreement’s effective termination, we will delete, return or retain (if authorized or required by law) the Personal Data that we have for you under the Data Processing Agreement. If you wish to have your Personal Data deleted or returned to you, you must provide us with your request to return the Personal Data without undue delay and no later than thirty (30) days after the Data Processing Agreement’s effective termination.
18. CHANGES IN THE APPLICABLE DATA PROTECTION LEGISLATION
18.1. If a change in mandatory applicable data protection legislation applicable to the Customer or to the Data Processor requires the Data Processor to (i) sign on to any additional documentation for mandatory data protection compliance purposes, or (ii) implement additional technical and organizational measures to the ones listed herein, or (iii) accept additional obligations to those set out herein, and such requirement mentioned in (i) – (iii) above cause additional costs or risks for the Data Processor, the Parties agree to negotiate in good faith a fair adjustment of any applicable fees. If the Parties cannot agree on a fair adjustment of any applicable fees, the Data Processor is entitled to terminate the Services with thirty (30) days’ prior, written notice.
18.2. Clause 18.1 shall apply accordingly, in case (i) the Customer instructs the Data Processor to undertake services not foreseen in the Data Processing Agreement or (ii) where mandatory applicable data protection legislation applicable to the Customer or to the Data Processor or the relevant Supervisory Authority imposes obligations on the Data Processor in addition to those set out herein.
19. APPLICABLE LAW AND JURISDICTION
19.1. The Data Processing Agreement is governed by Danish law with the Copenhagen City Court as its legal venue with the possibility of referral and appeal in accordance with the Danish Administration of Justice Act., United Nations Convention on Contracts for the International Sale of Goods (CISG) shall not apply to the Data Processing Agreement.
19.2 In the event any provision of this Data Processing Agreement, in whole or in part, is invalid, unenforceable or in conflict with the applicable laws or regulations, such provision will be replaced, to the extent possible, with a provision which accomplishes the original business purposes of the provision in a valid and enforceable manner, and the remainder of this Data Processing Agreement will remain unaffected and in full force.
_________________________________
APPENDIX 1: CATEGORIES OF PERSONAL DATA
| Categories of Personal Data | Purpose of the processing | Duration |
|---|---|---|
| Name, job title and work email | Creation of login to the online portal and track log purposes (cloud-based Software) | Same as the Agreement and for as long as permitted by law after the termination of the Agreement. |
| Personal Data contained in the Annual Report (if any) | Allowing the Customer to create an iXBRL file from the merge of a visual (normally a PDF) and a technical (normally an Excel) files. | For 15 min. It starts when the Customer uploads the files into ParsePort’s cloud-based Software and ends 15 min after when everything uploaded is flushed out. Nothing is stored. |
Special categories of Personal Data
The Data Processor does not process special categories of Personal Data on behalf of the Customer.
_________________________________
APPENDIX 2: PRE-APPROVED SUBCONTRACTORS AND THIRD PARTIES
The Pre-Approved Subcontractors and Third Parties’ list is available at the Supplier’s website at the following link: https://parseport.com/legal/DPAsubcontractors/. The Supplier keeps the list of Pre-Approved Subcontractors and Third Parties up to date and the Customer informed of any modifications to it.
_________________________________
List of Subcontractors and Third Parties (DPA v.Nov2023)
The Pre-Approved Subcontractors and Third Parties are as follows:
| Entity Name | Main purpose | Applicable Services | Location |
|---|---|---|---|
| Microsoft Azure | Hosting Provider | XBRL Converter | EU/EEA |
| Dropbox | Document storage | Internal use | EU/EEA |
| HubSpot | CRM System | Communication for the provision of Support and Services | EU/EEA |
| Workiva Inc. | ParsePort’s Holding Company | Account Management Support – may provide support | United States |
| Workiva France SAS | Support | Account Management Support – may provide support | FR |
| Workiva Germany GmbH | Support | Account Management Support – may provide support | DE |
| Workiva Netherlands B.V. | Support | Account Management Support – may provide support | NL |
| Workiva UK Ltd. | Support | Account Management Support – may provide support | UK |
| Workiva Sweden AB | Support | Account Management Support – may provide support | SE |
| Workiva Spain, S.L. | Support | Account Management Support – may provide support | ES |
| Workiva Singapore PTE LTD | Support | Account Management Support – may provide support | Singapore |
| Workiva Australia Pty Ltd. | Support | Account Management Support – may provide support | Australia |
| Workiva Canada ULC | Support | Account Management Support – may provide support | Canada |