This Data Processing Addendum (“DPA”) is an agreement between Artisan Software Consulting LLC, a company registered in Nevada, USA and located at 5729 N White Sands Rd, Reno, NV 89511 (“we” or “us” or “Artisan”) and you or the entity you represent (“Customer” or “you”). This DPA supplements the Sierra Agility Terms of Service as updated from time to time (“Terms of Service”) when we process personal data on your behalf in connection with the Services.

1. Definitions

Terms defined in Terms of Service shall apply in this DPA, unless defined otherwise in this DPA. The following terms used in this DPA shall have the following meanings:

  • “Data Protection Legislation” shall mean all applicable laws relating to data protection and privacy including (without limitation) the EU General Data Protection Regulation (2016/679) and any implementing national laws, the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, and any amending or replacement legislation from time to time;
  • “Customer Personal Data” shall mean all personal data (as defined in the Data Protection Legislation) controlled by the Customer which is processed by Artisan in providing with the Services; and
  • “Services” the services provided by Artisan to the Customer.

In this DPA, the terms “process”, “data controllerName”, “data processor” and “data subject” shall have the meanings set out in the Data Protection Legislation. The parties shall each comply with their respective obligations under the Data Protection Legislation as regards the Customer Personal Data. The parties agree that the Customer shall be the data controllerName and Artisan shall be a data processor of any Customer Personal Data. The Customer warrants that its instructions to Artisan in respect of the Customer Personal Data are lawful.

Artisan shall:

  • only process Customer Personal Data in accordance with the Customer’s documented instructions, including with regard to transfers, unless required to do otherwise by applicable law. In which event, Artisan shall inform the Customer of the legal requirement before processing the Customer Personal Data other than in accordance with the Customer’s instructions, unless legally prohibited from doing so;
  • ensure that its personnel are subject to appropriate obligations of confidentiality;
  • taking into account the nature of the Services, provide reasonable assistance to the Customer, insofar as this is possible and at the Customer’s cost, for the fulfilment of the Customer’s
    obligations under the Data Protection Legislation in respect of data security; data breach notification; data protection impact assessments; prior consultation with supervisory authorities; and the fulfilment of data subject’s rights; and
  • on termination of this DPA, upon the Customer’s request, return or delete the Customer Personal Data,
    and delete any existing copies in its possession unless required to retain such Customer Personal Data under applicable law.

The Customer consents to Artisan engaging the subcontractors listed in Schedule 1 to process the Customer Personal Data on its behalf (“Sub-processors”). Artisan shall ensure Sub-processors are subject to contractual obligations which are the same as or equivalent to those imposed on Artisan under this DPA. Artisan shall inform the Customer of any intended changes concerning the addition or replacement of any Sub-processor within a reasonable time prior to implementation of such change. In the event of the Customer objecting to such change, Artisan shall make reasonable efforts to address the Customer’s concerns (including making reasonable efforts to find an alternative Sub-processor). Artisan shall remain liable for the performance of any Sub-processor’s obligations.

The Customer acknowledges and agrees that Customer Personal Data may be processed by Sub-processors outside the European Economic Area or the country where the Customer is located in order to carry out the Services and Artisan’s other obligations under the Terms of Service. Artisan shall implement a data transfer solution to ensure any such transfers are compliant with the Data Protection Legislation.

Artisan shall use appropriate technical and organisational measures to protect Customer Personal Data stored within Artisan infrastructure against unauthorised and unlawful processing and against accidental loss, destruction, disclosure, damage or alteration, as described in our Security standards.

Upon written request, Artisan shall make available to the Customer such information as is reasonably necessary to demonstrate Artisan’s compliance with its obligations under this DPA. In addition, Artisan agrees to permit an audit to be conducted of its facilities, by the Customer or the Customer’s representatives (bound by appropriate obligations of confidentiality), provided such an audit is carried out: (i) during Artisan’s normal business hours; (ii) in a manner that causes minimal disruption to Artisan’s business and excludes from its scope any internal pricing information, information relating to other customers of Artisan or Artisan’s own internal reports; and (iii) at the Customer’s own cost.

Artisan shall notify the Customer without undue delay of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Customer Personal Data (“Security Breach”). Artisan shall provide the Customer with reasonable assistance in relation to the Security Breach, including the provision of such information as is known to Artisan regarding the nature of the breach, the categories and approximate number of data subjects and records concerned.

The Customer Personal Data processing activities carried out by Artisan under this DPA may be described as follows:

    • Subject matter: The provision of the Services.
    • Duration: The duration of the Services plus the period from the expiry of the services until deletion of all Customer Personal Data by Artisan.
    • Nature and purpose: To enable Artisan to provide the Services.

Data categories: personal information relating to employees and business associates of the Customer, which may include name, email, business address, IP address, location by region or country and product usage statistics.

Data subjects: authorized users, employees of Customer, consultants of Customer, contractors of Customer, customers of Customer, agents of Customer, and/or third parties with which Customer conducts business.

2. Conflict

Except as amended by this DPA, the Terms of Service will remain in full force and effect. If there is a conflict between the Terms of Service and this DPA, the terms of this DPA will control.

3. Changes to the Terms of Service and the Service

Artisan reserves the right to update this DPA from time to time, at our discretion and without notice. Each new version will be made available on our Website and it is your responsibility to regularly check our Website for new versions. Your continued use of the Services following the publishing of an updated DPA means that you accept and agree to the changes.

This DPA was last updated on the 24th of February, 2023.

SCHEDULE 1 – APPROVED SUB-PROCESSORS

  • Hostgator – Cloud-based processing services, United States
  • Zapier – Integration management services, United States