Asora Data Processing Agreement
Last Modified: 4 October 2022
We update these terms from time to time. If you have an active Asora subscription, we will let you know when we do via email.
The term of this DPA will follow the term of the Agreement.
Introduction
BETWEEN
- Customer (as defined in the Master Terms and hereafter referred to as the “Controller”, “you” or “your”); and
- Asora Technologies Limited t/a Asora, company number 706300 with its registered office at 20 Hatch Street Lower, Dublin, DUBLIN, D02 XH02, Ireland (hereafter referred to as the “Processor”, “our”, “us” or “we”).
(each a “Party” and together the “Parties”)
- The Processor is engaged to carry out services on behalf of the Controller pursuant to the Agreement.
- The Processor’s provision of these services to the Controller necessitates the processing of personal data on behalf of the Controller by the Processor. This Data Processing Agreement, intended to be read in conjunction with the Agreement, sets out the terms upon which the Processor must process Customer Data for and on behalf of the Controller.
IN CONSIDERATION of the mutual benefit to the Parties of the arrangements referred to in this Data Processing Agreement and for other valuable consideration pursuant to the Agreement IT IS AGREED as follows:
Definitions
In this DPA the following expressions, unless the context otherwise requires, have the following meanings:
| Agreement | means the agreement between the Parties which governs the Controller’s use of the Processor’s services. It consists of the following documents: Master Terms; Product Specific Terms; this DPA; and any Order Form(s) entered into between the Parties. |
| Customer Data | means personal data processed by the Processor on behalf of the Controller in connection with the performance by the Processor of its obligations under the Agreement, as more particularly set out in Appendix 1. |
| Data Protection Laws | means applicable data protection and privacy laws including the Data Protection Acts 1988 to 2018, the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. |
| DPA | means this data processing agreement. |
| Effective Date | means the date you enter into the Agreement with Processor. |
| Instructions | means the written, documented instructions of the Controller contained in the Agreement. |
| Sub-Processor | means any processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the provision of the services under the Agreement. Sub-Processors may include third parties or our Affiliates but will exclude any of our employees or consultants. |
In this Agreement, unless the context requires otherwise:
(a) the terms “controller”, “data subject”, “personal data”, “personal data breach”, “processor”, “processing” (and derivatives of this term), and “supervisory authority” each have the meaning given under the GDPR;
(b) headings will not affect the interpretation of this Agreement;
(c) any reference to any statute, statutory provision, order, decision, or regulation shall be construed as a reference to that statute as modified or re-enacted from time to time;
(d) phrases introduced by the terms “including” or “include” shall not limit the preceding words; and
(e) words in the singular include the plural and vice versa.
In the event of a conflict or inconsistency between any provision in this DPA and any provision in the Master Terms, Product Specific Terms, or any Order Form entered into between the Parties, this DPA will take precedence to the extent of such conflict or inconsistency.
All terms that are capitalised and not defined here shall have the meaning given to them in the Master Terms.
Data Processing Provisions
The Parties acknowledge and agree that:
- For the purposes of the Data Protection Laws and the Agreement, the Controller is the controller and the Processor is a processor of Customer Data; and
- Appendix 1 sets out the scope, nature and purpose of the processing by Processor of Customer Data, the duration of the processing and the types of personal data and categories of data subject involved.
Controller Responsibilities
Compliance with Laws. Within the scope of the Agreement and in its use of the Subscription Services provided by Processor under the Agreement, the Controller will be responsible for complying with all requirements that apply to it under Data Protection Laws with respect to its processing of Customer Data and the Instructions it issues to the Processor.
In particular, the Controller acknowledges that it will be solely responsible for:
(i) the accuracy and legality of Customer Data;
(ii) complying with transparency and consent requirements under Data Protection Laws;
(iii) ensuring it has the right to transfer Customer Data to the Processor; and
(iv) ensuring its Instructions comply with applicable laws.
The Controller will inform the Processor without undue delay if it is not able to comply with its responsibilities under this DPA or the Data Protection Laws.
Controller Instructions. The Agreement (including this DPA), together with the Controller’s use of the Subscription Service, constitute the Controller’s complete Instructions to the Processor regarding Customer Data processing. The Controller authorises the Processor to process Customer Data as reasonably required to provide the Subscription Services.
Security Responsibility. The Controller is responsible for ensuring the data security provided for in the Subscription Service meets its obligations under applicable Data Protection Laws and for protecting Customer Data in transit to and from the Subscription Service.
Warranties. The Controller warrants that:
(a) its current Instructions are contained in this Agreement;
(b) any Instructions it issues shall comply with Data Protection Laws; and
(c) it is entitled to transfer the Customer Data to the Processor and has complied with its obligations to do so.
Processor Obligations
Compliance with Instructions. The Processor will only process Customer Data for the purposes described in the Agreement or as otherwise agreed within the scope of the Controller’s lawful Instructions, except where required by applicable law. The Processor will inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.
Conflict of Laws. If the Processor becomes aware that it cannot process Customer Data in accordance with the Controller’s Instructions due to a legal requirement, it will promptly notify the Controller (unless prohibited by law) and cease processing until lawful Instructions are issued.
Security. The Processor will implement and maintain appropriate technical and organisational measures to protect Customer Data from personal data breaches, as described in Appendix 2 (“Security Measures”). Modifications to these measures may occur, provided protection is not materially degraded.
Confidentiality. The Processor will ensure that any personnel authorised to process Customer Data are subject to appropriate confidentiality obligations.
Personal Data Breaches. The Processor will notify the Controller without undue delay after becoming aware of a verified personal data breach and provide relevant details as they become known. Upon request, the Processor will assist the Controller in notifying supervisory authorities and affected data subjects as required.
Deletion or Return of Customer Data. Upon termination or expiration of the Subscription Service, the Processor will delete or return all Customer Data (including copies), unless retention is required by law. The Controller may request deletion of its Asora account or retrieve Customer Data in accordance with the Master Terms and Product Specific Terms.
Assistance. Taking into account the nature of processing, the Processor will provide reasonable assistance to the Controller at the Controller’s cost in ensuring compliance with Articles 32–36 of the GDPR.
Audit Rights. The Processor will make available to the Controller all necessary information to demonstrate compliance with Article 28 of the GDPR and allow for audits or inspections, subject to the following conditions:
- Audits must be carried out during normal working hours and not more than once every 12 months.
- The Controller must give at least 30 days’ notice of its intention to conduct an audit.
- The Controller must ensure no damage, disturbance, or disruption to the Processor’s activities occurs.
- Auditors must be bound by confidentiality obligations.
- Only systems, premises, and equipment used for processing Customer Data may be audited.
- All audit costs are borne solely by the Controller.
Data Subject Requests
Where the Controller is unable to independently address a data subject’s request under Data Protection Laws, the Processor will provide reasonable assistance upon written request. The Controller shall reimburse the Processor for commercially reasonable costs arising from such assistance.
If a Data Subject Request is received directly by the Processor, it will promptly inform the Controller and advise the data subject to contact the Controller directly. The Controller remains solely responsible for responding to such requests.
Sub-Processors
The Controller agrees that the Processor may engage Sub-Processors to process Customer Data on its behalf. The Processor has appointed the Asora Affiliates and third parties listed in Appendix 3 as Sub-Processors.
When appointing new Sub-Processors, the Processor will notify the Controller and allow 30 days for objections on reasonable data protection grounds. If unresolved, the Processor may either not appoint the Sub-Processor or permit the Controller to suspend or terminate the affected Subscription Service.
All Sub-Processors are subject to equivalent data protection terms as those in this DPA, and the Processor remains responsible for their compliance.
Data Transfers
The Processor will not transfer or otherwise process Customer Data outside the European Economic Area without the Controller’s prior written consent, which shall not be unreasonably withheld.
Liability
Nothing in this Agreement shall exclude or limit either Party’s liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded under applicable law.
The Controller remains solely liable for any damage suffered by a data subject resulting from processing under its control that does not arise from a breach by the Processor. The Processor shall not be liable where non-compliance results from acts or omissions of the Controller.
Neither Party shall be liable to the other for any indirect or consequential loss or damage. Each Party retains its own direct responsibilities as controller or processor under Data Protection Laws.
Subject to the above, the Processor’s aggregate liability in any 12-month period shall not exceed the total fees paid by the Controller during that period. The Controller agrees to indemnify and hold harmless the Processor from losses or penalties arising from the Controller’s breach of this DPA.
General Provisions
Amendments. The Processor reserves the right to update this DPA in accordance with the “Amendment; No Waiver” section of the Master Terms.
Severability. If any provision is found invalid or unenforceable, the remaining provisions shall remain in full force and effect.
Governing Law. This DPA shall be governed by the laws of Ireland. The Courts of Ireland shall have exclusive jurisdiction, provided nothing prevents a Party from seeking interim relief elsewhere.
Details of Processing
This Appendix describes the subject-matter, duration, nature, and purpose of processing of Customer Data by the Processor on behalf of the Controller.
| Subject matter of processing | The provision of the Subscription Service and all related services provided by Asora. |
| Duration of processing | For the duration during which the Processor provides the Subscription Services. |
| Nature and purpose of processing | Processing Customer Data as necessary to perform Subscription Services, fulfil obligations under the Agreement, and comply with the Controller’s Instructions. |
| Categories of data subject | Includes the Controller’s clients, affiliates, employees, contractors, customers, suppliers, and other end users. |
| Types of personal data | Name, email, phone, usernames, financial data (if personal), and similar information provided via the Subscription Service. |
| Special categories of personal data | Not anticipated. |
| Period of Retention | Customer Data is retained for the duration of the Agreement unless otherwise required by law. |
Security Measures
The Processor observes the following Security Measures to protect Customer Data:
a) Access Control
Preventing Unauthorised Product Access. Services are hosted on secure, audited infrastructure (e.g., ISO 27001-compliant). Multi-factor authentication and least-privilege principles apply to authorised personnel.
Preventing Unauthorised Product Use. Network access controls, intrusion prevention, static code analysis, and annual penetration tests are implemented to safeguard data.
b) Transmission Control
All data in transit is protected using HTTPS/TLS encryption. Data at rest is encrypted following industry standards.
c) Input Control
Extensive logging, monitoring, and incident response procedures are maintained to detect and manage malicious or unintended activity.
d) Availability Control
Infrastructure providers ensure 99.5% uptime and redundancy (N+1). Data is backed up, replicated, and designed for fault tolerance to minimise downtime.
List of Sub-Processors
| Third-Party Sub-Processor | Purpose | Applicable Service | US Data Center | EU Data Center |
| MS Azure | Hosting & Infrastructure | On-demand cloud computing platforms and APIs | n/a | Ireland with Netherlands backup |
| Twilio, Inc. | 2-Factor Authentication | Used as an authentication service | US | None |
| Asora Sub-Processor | Purpose | Location |
| Asora Dataconnect Ltd | Services & Support | Ireland |
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sundanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu