PHASIO DATA PROCESSING TERMS
Last Modified: August 14, 2024
This Data Processing Addendum (the Addendum) forms part of the Phasio Subscription Agreement (and any ancillary or related documentation), as updated or amended from time to time (the Agreement), between you, the Client (as defined below) and Phasio. All capitalized terms not defined in this Addendum have the meaning set out in the Agreement.
This Addendum only applies if and to the extent Phasio processes personal data on behalf of a Client that qualifies as a controller with respect to that personal data under Applicable Data Protection Law (as defined below). If the Client had entered into earlier data processing terms with Phasio, those terms are replaced by this Addendum.
1. Data protection
1.1 Definitions
In this Addendum, the following terms have the following meanings:
a) controller, processor, data subject, personal data, processing (and process) and special categories of personal data have the meanings given in Applicable Data Protection Law
b) Applicable Data Protection Law means the EU General Data Protection Regulation (Regulation 2016/679) (the GDPR) and/or the UK General Data Protection Regulation (the UK GDPR) and any EU Member State and/or UK laws made under or pursuant to the GDPR and/or UK GDPR
c) Client has the same meaning as in the Phasio Subscription Agreement
1.2 Relationship of the parties
The Client (the controller) appoints Phasio as a processor to process the personal data described in Annex B (the Data) only on the controller’s documented instructions (and as per the terms set out in this Addendum) for the purposes described in the Agreement or as otherwise agreed in writing by the parties (the Permitted Purpose). Each party must comply with the obligations that apply to it under Applicable Data Protection Law.
1.3 Prohibited data
Unless explicitly requested by Phasio to do so, the Client will not disclose (and will not permit any data subject to disclose) any special categories of personal data to Phasio for processing.
1.4 International transfers
Phasio will not transfer the Data outside of the European Economic Area (EEA) nor the United Kingdom (UK) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission and/or the UK Secretary of State (as applicable) has decided provides adequate protection for personal data or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission and/or UK Secretary of State or UK Information Commissioner (as applicable). To this end, you authorize Phasio to enter into standard contractual clauses as your agent and on your behalf with any recipient of Data who is not located in an Adequate Country where this is necessary for compliance with Applicable Data Protection Law.
1.5 Confidentiality of processing
Phasio will ensure that any person it authorizes to process the Data (an Authorized Person) will protect the Data in accordance with Phasio’s confidentiality obligations under the Agreement.
1.6 Security
Phasio will implement technical and organizational measures, as set out in Annex A, which may be amended and updated from time to time, to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a Security Incident).
1.7 Subcontracting
The Client consents to Phasio engaging third-party sub-processors to process the Data for the Permitted Purpose provided that:
(i) Phasio maintains an up-to-date list of its subprocessors, which is available on its website at the Phasio sub-processors page, which it will update with details of any change in sub-processors at least 30 days prior to the change;
(ii) Phasio imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and
(iii) Phasio remains liable for any breach of this Addendum that is caused by an act, error or omission of its sub-processors. The Client may object to Phasio’s appointment or replacement of a sub-processors prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, Phasio will either not appoint or replace the sub-processors or, if Phasio determines at its sole discretion that this is not reasonably possible, the Client may suspend or terminate the Agreement without penalty (without prejudice to any fees incurred by the Client up to and including the date of suspension or termination).
1.8 Cooperation and data subjects’ rights
Phasio will provide reasonable and timely assistance to the Client (at the Client’s expense) to enable the Client to respond to:
(i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and
(ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. If any such request, correspondence, enquiry or complaint is made directly to Phasio, Phasio will promptly inform the Client, providing full details.
1.9 Data protection impact assessment
If Phasio believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it will inform the Client and provide reasonable cooperation to the Client in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
1.10 Security incidents
If it becomes aware of a confirmed Security Incident, Phasio will inform the Client without undue delay and will provide reasonable information and cooperation to the Client so that they can fulfill any data breach reporting obligations they may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Phasio will further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep the Client informed of all material developments in connection with the Security Incident.
1.11 Deletion or return of data
Phasio will retain the Data for a period of up to 1 year after a subscription is terminated in case the Client later needs access to it. On expiry of this period or on the Client’s earlier request, Phasio will delete or return the Data in a manner and form decided by Phasio, acting reasonably. This requirement will not apply to the extent that Phasio is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data Phasio shall securely isolate and protect from any further processing.
1.12 Audit
The Client acknowledges that Phasio is regularly audited against SOC 2 standards by an independent third-party auditor. Upon the Client’s request, and subject to the confidentiality obligations set out in the Agreement, Phasio will make available to the Client (provided that they or their independent, third-party auditor are not a competitor of Phasio) a copy of Phasio’s SOC 2 report in the same manner and form that Phasio makes it generally available to customers.
Annex A – Security measures
Information regarding the technical and organizational measures Phasio has in place to protect Data in accordance with clause 1.6 of this Addendum is available in Phasio’s SOC 2 report, which can be requested by emailing support@phas.io, and on Phasio’s security at Phasio webpage.
Annex B – Data processing schedule
1. Subject matter and duration of processing of personal data
The subject matter of personal data to be processed is that of:
the customers of the Client entered by or at the election of the Client into the Phasio platform
the customers of the Client who, at their own discretion, sign up on the Client’s digital storefront
the users of the platform who are employed by the Client
orders placed by or on behalf of customers of the Client through the Phasio platform
The duration of processing personal data shall be for as long as we have a business relationship with the Client, and at the end of that relationship, we will act in accordance with clause 1.11 regarding deletion or return of such personal data.
2. Nature and purpose of processing personal data
The nature and purpose of processing personal data is to enable the functionality of the Phasio Platform as set out in the Agreement and related documentation.
3. Types of personal data processed
The types of personal data processed include:
a) names
b) addresses
c) contact details
d) identification details (for example, tax registration numbers)
e) other personal data types for use on the Phasio platform
4. Categories of data subjects
The categories of data subjects include:
a) suppliers / service providers of Client
b) customers / clients of Client
c) employees / contractors of Client
d) other contacts of the Client