Data Processing Addendum
Fidify Data Processing Addendum (DPA)
Version: 1 January 2025 (Global, with Mauritian Data Protection Act equivalency ta-ble)
1. BACKGROUND AND PURPOSE
1.1 This Data Processing Addendum and its appendices (“DPA”) are an integral part of the Fidify terms of service or separate service agreement, as the case may be (the “Main Agreement“) in which the Processor undertakes to provide SaaS services (the “Service”).
1.2 When used in this DPA, “Processor” shall refer to the Fidify entity providing the Service and “Controller” shall refer to the commercial customer purchasing the Service. This DPA applies when the Customer renews or purchases a Service. The Customer and Controller shall hereinafter be referred collectively as the “Parties” and individually and indistinctly as the/a “Party”.
1.3 In the event of inconsistency between the Main Agreement and the DPA, the Main Agreement shall generally prevail, however this DPA shall prevail with respect to those terms and issues relating particularly to Processing of Personal Data.
1.4 In addition to the remuneration stipulated in the Main Agreement the Processor shall be entitled to reasonable and evidenced costs directly attributable to the obligations in section 4.12, which may be considered to be in addition and unreasonable to what is required in the Applicable Data Protection Law or where the Controller places higher or increased requirements for handling and control than those stipulated in The Ap-plicable Data Protection Law. This additional remuneration shall be based on an hourly rate of EUR 250 per hour.
1.5 Where the Controller is subject to the Mauritian Data Protection Act, section 14.2 and Appendix 2 shall apply.
2. DEFINITIONS
2.1 Except as set forth herein, words, abbreviations and expressions shall have the mean-ing as ascribed to them in the Main Agreement, unless the context requires otherwise, or it is explicitly stated below:
“Applicable Data Protection Law“: the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal data applicable in the country in which the Controller is estab-lished and/or applicable in the jurisdiction in which the Processor or any Sub-proces-sors are established;
“EEA”: The European Economic Area;
“GDPR”: The European Parliament and the Council Regulation (EU) no 2016/679;
“Mauritian Data Protection Act”: the Mauritian Data Protection Act 20/2017 (Procla-mation No. 3 of 2018 w.e.f. 15 January 2018 Government Gazette of Mauritius No. 120 of 23 December 2017);
“Personal Data“, “Personal Data Breach”, “Special Categories of Data“, “Process/Pro-cessing“, “Controller“, “Processor“, “Data Subject” and “Supervisory Authority” shall have the same meaning as in GDPR;
“Portal”: the Fidify App or Fidify portal to which the Controller has access and to which the Controller may enrol its end-customers for document sharing and two-way com-munication;
“Sub-processor“: any processor (subcontractor) engaged by the Processor who Pro-cesses Personal Data on behalf of the Processor in accordance with the instructions provided, the terms of this DPA and the terms of the written subcontract;
“Standard Contractual Clauses“: the Standard Contractual Clauses for the transfer of Personal Data to data Processors established in third countries, laid down by the EU Commission (COMMISSION IMPLEMENTING DECISION (EU) 2021/914 as of 4 June 2021); and
“Technical and Organisational Security Measures” or “TOMs”: measures aiming at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing in-volves the transmission of data over a network, and against all other unlawful forms of Processing.
3. CONTROLLER – PROCESSOR
3.1 The Controller determines the purpose and the means of the Processing of Personal Data and is therefore defined as a data Controller. Consequently, the Controller is ob-ligated to ensure that the Processing of Personal Data under the Main Agreement is always in compliance with a legal basis in accordance with Applicable Data Protec-tion Laws.
3.2 As set out in the Main Agreement, the Processor has undertaken to assist the Controller in processing Personal Data and is therefore deemed a data Processor.
4. GENERAL OBLIGATIONS OF THE PROCESSOR
4.1 The Processor shall, when Processing Personal Data in the context of the Main Agree-ment, comply with Applicable Data Protection Law (as amended or replaced from time to time).
4.2 The Processor shall further adhere to those routines and instructions for such Pro-cessing as communicated in writing by the Controller.
4.3 The Processor shall not Process Personal Data given access to or generated in the context of the Main Agreement for any purpose other than to perform its obligations pursuant to the Main Agreement. Accordingly, the Processor shall not use such Per-sonal Data for its own purposes, except where Personal Data has first been irrevocably anonymized so that it no longer qualifies as Personal Data.
4.4 Without limiting the generality of the foregoing, the Processor does not have the right to Process Personal Data in other categories or in any other way, for purposes or ac-cording to instructions other than those that follow from the Main Agreement or are specified in Appendix 1 to this DPA. Should the Processor find that there are insufficient instructions to fulfil the assignment under the DPA or in the Main Agreement, the Pro-cessor must inform the Controller without undue delay. Should performance under the Main Agreement be affected the Processor shall inform the Controller thereof and await further instructions.
4.5 The Processor shall implement and maintain throughout the term appropriate Tech-nical and Organisational Security Measures (TOMs) to ensure a level of security as re-quired by Article 32 GDPR, to protect the Personal Data against unauthorized or unlaw-ful Processing and against accidental or unlawful destruction or accidental loss, dam-age, alteration, unauthorized disclosure or access. In considering the appropriateness of the TOMs, the Processor shall take into account the state of the art, the costs of im-plementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural per-sons. The TOMs are subject to technical progress and further development. In this re-spect, the Processor is permitted to implement alternative adequate measures, as long as security is maintained. The latest TOMs shall be available on the Processor’s website.
4.6 The Controller warrants that only personnel or contractors who require access to Per-sonal Data to perform their work duties will have access to the Personal Data and that these personnel are subject to confidentiality undertakings regarding the Personal Data. The Processor shall only allow access to the Personal Data to personnel on a need-to-know basis and must always ensure that such personnel are bound by ade-quate confidentiality undertakings and are informed and aware of applicable data protection laws. The Processor must also ensure that the personnel only Processes
Personal Data as instructed by the Controller unless other Processing is required by law.
4.7 The Controller retains the formal control of, and all ownership and rights to, the Per-sonal Data Processed by the Processor and any Sub-processors hereunder. The Con-troller may require to receive the Personal Data at any time, and the Processor shall meet such request without undue delay in a suitable format.
4.8 The Processor shall inform the Controller as soon as possible in the event of attempted or successful unauthorised or unlawful access, destruction or change of Personal Data.
4.9 If the Data Subject, the Supervisory Authority or other third-party requests information from the Processor regarding Personal Data, the Processor shall promptly refer such party to the Controller. The Processor is not entitled to disclose Personal Data or other information on the Processing without the explicit instruction/approval from the Con-troller or unless disclosure is required by law.
4.10 The Processor shall inform the Controller of any contact with the Supervisory Authority without undue delay if the contact concerns or may affect the Processor’s Processing of Personal Data. This undertaking shall only apply on Processing of Personal Data at-tributable to the Customer or which can affect the Customer. The Processor is not en-titled to represent or speak on behalf of the Controller in relation to the Supervisory Authority.
4.11 Other than to the extent covered by the instructions from the Controller, the Processor must not disclose Personal Data to third-parties, change the purpose or the means of the Processing, take measures or series of measures such as collect, record, process, change, block, erase or destroy Personal Data, multiply the data in the Controllers da-tabase or compile or merge the Personal Data.
4.12 The Data Subject has a right to request through the Controller a record of its Personal Data, data portability, request correction, blocking or potential erasure of the Personal Data that is covered by the DPA. Once the Controller has – to the extent necessary – confirmed the identity of the Data Subject who has made a request, the Processor shall be required to assist the Controller to such extent that these requests can be fulfilled. The Processor is also obligated to assist the Controller in its duties on security in relation to the Processing, contact with the Supervisory Authority and potential breach, impact assessment regarding data protection and prior consultation with the Supervisory Authority regarding the categories of Processing and the information available to the Processor.
4.13 All Processing must be kept confidential, which means that the Processor, its employ-ees and Sub-processors must not disclose any information to third-parties without the Controller’s prior consent. The confidentiality undertaking does not apply if the in-formation has been made available to the Processor on other ways than the fulfilment of the DPA or if it is publicly known. The confidentiality undertaking shall survive termi-nation of the DPA.
4.14 Upon termination of the Main Agreement, the Processor must irrevocably anonymise all Personal Data that is stored or Processed by the Processor under the Main Agree-ment in such way that it is not possible to recreate, or instead return or erase all Per-sonal Data as instructed by the Controller. The Processor must also delete all copies of Personal Data unless applicable law requires that the data is stored. Return or in-formation on deletion of the Personal Data must be provided to the Controller within 90 days following termination of the Main Agreement, unless extended paid storage of Personal Data has been agreed upon (in which case this DPA shall continue to ap-ply).
5. USE OF SUB-PROCESSORS
5.1 The Processor is hereby granted a general authorisation from the Controller to engage Sub-processors, as long as the Processor ensures that Articles 28.2 and 28.4 of the GDPR are met and that the Sub-processors provide adequate guarantees to imple-ment appropriate TOMs to fulfil the requirement of this DPA and the Applicable Data Protection Law. Processor shall ensure that all Sub-processors are bound by written agreements which impose corresponding obligations when processing Personal Data on behalf of Controller. The Processor shall maintain an up-to-date list of Sub-pro-cessors on its website. The Processor shall remain responsible towards the Controller for any processing carried out by a Sub-processor.
5.2 The Processor is entitled to engage new Sub-processors and to replace existing Sub-processors. In this case, the Processor undertakes to verify the new Sub-processor’s capacity and ability to meet its obligations in accordance with the Applicable Data Protection Law. The Processor shall inform the Controller – e.g. by e-mail, or within the Processor’s SaaS platform – if the Processor intends to engage additional Sub-pro-cessors or to replace Sub-processors, and shall notify of a new Sub-processor, which type of data and categories of Data Subjects are being processed and where the Per-sonal Data will be stored. The Controller is entitled within fourteen (14) days of the no-tice to object to the appointment of the new Sub-processor in writing. If the Controller does not object within the given timeframe, the new Sub-processor shall be deemed accepted. If the Controller makes a legitimate objection and the Processor does not accept the objection against Sub-processor in question, the Processor shall be enti-tled to at its own discretion, either perform the service without the intended change in the Sub-processor, or, if the performance of the service without the intended change is unreasonable for the Processor, terminate the Main Agreement, including this DPA, by giving thirty (30) days written notice from the Processor’s receipt of the Controller’s objection.
5.3 Upon request from the Controller, the Processor shall provide the Controller with a cor-rect and up-to-date list of the Sub-processors assigned to Process Personal Data on behalf of the Processor, and the geographic location of the Processing. The Processor can fulfil the obligations under this paragraph by referring the Controller to the list maintained on the Processor’s website.
5.4 The Processor will impose equivalent data protection terms on the Sub-processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-proces-sors. The Processor will remain responsible for each Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause the Processor to breach any of its obligations under this DPA and the Applicable Data Protection Laws.
6. INTERNATIONAL DATA TRANSFER
6.1 In the event that the Processor and/or Sub-processors transfer Personal Data to a lo-cation outside of the EU/EEA (if the Controller is in Mauritius: to a location outside of Mauritius), the Processor and/or Sub-processor shall ensure that such transfer com-plies with the Applicable Data Protection Laws. Under the terms of this DPA, such re-quirements in relation to certain countries will if suitable be fulfilled by entering into the EU’s standard contractual clauses for the transfer of Personal Data to Processors established in third countries (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) or other applicable security mechanisms pursuant to Article 44 et seq. of the GDPR in order to secure the transfer. The Processor is required to keep the Control-ler informed of the grounds for transfer.
7. AUDITS
7.1 The Controller is entitled to verify, by himself or through an independent third-party (who must not be a competitor of Processor) that the Processor complies with the terms of this DPA and Article 28(3) of the GDPR and the instructions provided by the Controller. After thirty (30) days’ prior notification, the Processor shall reasonably pro-vide the Controller with the assistance and provide the documentation required to carry out such control. Checks shall be made during the Processor’s normal office hours and shall be conducted so that the Processor’s operations are not disturbed. The cost of an audit shall be covered by the Controller.
7.2 The Processor may make the inspection conditional upon the signing of a confidenti-ality agreement to protect the data of other customers and information about the Processor’s TOMs, as well as the Processor’s business and trade secrets. The Controller shall ensure its personnel conducting such audit are subject to adequate secrecy ob-ligations.
7.3 If the Parties agree that an audit is to be performed by external auditors, such external auditor is to be appointed by the Controller and approved by the Processor. Upon se-curity audits performed by an external auditor, both Parties shall be entitled to receive a copy of the audit report.
7.4 If the audit reveals non-compliance with the DPA, the Processor shall notify the Con-troller immediately and without undue delay remedy such non-compliance.
7.5 The Processor shall procure that the Controller is similarly entitled to conduct audits in respect to the Sub-processors.
8. DATA BREACHES
8.1 The Controller must be notified without undue delay after a Personal Data Breach comes to the Processor knowledge. If the Processor can demonstrate that the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of Data Subjects the Controller or the Data Subjects do not have to be notified.
8.2 The notification referred to in section 8.1 must at least (if relevant):
8.3 The Controller is responsible for notifying the relevant Supervisory Authority about the Personal Data Breach when applicable and within the time limit imposed by the Ap-plicable Data Protection Law.
8.4 The Processor shall document any Personal Data Breaches. This documentation must enable the Supervisory Authority to verify compliance with this DPA, including without limitation the TOMs and Applicable Data Protection Law. The documentation shall only include information necessary for that purpose.
9. LIABILITY AND LIMITATION OF LIABILITY
9.1 Unless otherwise agreed in the Main Agreement, a Party in breach of this DPA shall be liable for documented and relevant damages suffered by the other Party. However, neither Party shall be liable for indirect or consequential damages. The liability under the DPA for damages not covered by section 10 below shall be limited to the amount paid by the Controller under the Main Agreement during the 12 months preceding such breach.
9.2 The limitation of liability set out in section 9.1 shall not apply if the breach is caused by intent or gross negligence.
10. LIABILITY FOR DAMAGES IN CONNECTION WITH THE PROCESSING
10.1 In the event of compensation for damage in connection with Processing, through a judgment given or settlement, to be paid to a Data Subject due to an infringement of a provision in the DPA, Instructions and/or applicable provision in Data Protection Law, Article 82 of the GDPR shall apply.
10.2 Fines pursuant to Article 83 of the GDPR or supplementary provisions under local law to the EU’s data protection regulation or Applicable Data Protection Law shall be borne by the Party to the DPA named as recipient of such sanctions.
10.3 If either Party becomes aware of circumstances that could be detrimental to the other Party, the first Party shall immediately inform the other Party of this and work actively with the other Party to prevent and minimise the damage or loss.
10.4 Regardless of the content of the Main Agreement, items 10.1 and 10.2 of this DPA take precedence to other rules on the distribution between the Parties of claims among themselves as far as the processing is concerned.
11. GENERAL NOTIFICATIONS
11.1 The Processor shall without undue delay notify the Controller in writing of:
(i) any request or complaint from a Data Subject. The Processor shall not re-spond to that request or complaint unless it has been authorized to do so. Responding to claims or complaints from a Data subject is thus the respon-sibility of the Controller; and
(ii) any request from any Supervisory Authority requiring access to or infor-mation regarding the Processor’s and/or the Sub-processor’ Processing of Personal Data covered by this DPA, including any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.
12. AMENDMENTS
12.1 The Parties may amend the DPA to such extent necessary to comply with Applicable Data Protection Law or to enable the Processing. Amendments enter into force within 30 days following written notification (email to suffice) to the other Party.
12.2 The Controller must be notified if the Service is changed in such way that new func-tionality is included which may result in other categories of Processing.
13. TERM AND TERMINATION
13.1 This DPA will stay in force as long as the Processor Processes or has access to Personal Data on behalf of the Controller in the context of the Main Agreement.
13.2 Upon expiration or termination, the Processor and any Sub-processors shall, at the choice of the Controller, return all the Personal Data and the copies thereof to the Con-troller or shall destroy all the Personal Data and certify to the Controller that it has done so, unless legislation imposed upon the Processor prevents it from returning or de-stroying all or part of the Personal Data. In that case, the Processor warrants that it will guarantee the confidentiality of the Personal Data and will not actively Process the Personal Data anymore.
14. GOVERNING LAW AND LEGAL VENUE
14.1 Governing law and dispute resolution shall follow as set forth in the Main Agreement.
14.2 Special clause in case of Mauritian law. When Mauritian law is applicable to the DPA, references to Articles of the GDPR in the DPA – or in otherwise in the context of the Processor providing the Services to the Controller – shall be deemed to be replaced in full with the applicable sections (if any) of the Mauritian Data Protection Act set forth in Appendix 2. For the avoidance of doubt, where Applicable Data Protection Law in Mauritius does not contain equivalent regulation under the GDPR, the provisions of the GDPR shall not be deemed to apply.
Appendix 1: Instructions on Processing covered by the DPA
| Appendix 1: Instructions on Processing covered by the DPA Purpose | Categories of Personal Data | Type of Processing | Legal basis |
| To provide the Portal and the User Ac-count. |
|
|
|
| To prevent abuse of a service or to pre-vent and investigate crimes against the company. |
|
|
|
| To deliver an individ-ually adopted expe-rience of the Portal. |
|
|
|
| To handle customer service issues. |
|
| |
| To send newsletters and other periodical messages. |
|
|
|
Appendix 2: Equivalency chart GDPR-Mauritius
GDPR Article | Mauritian Data Protection Act Section |
Article 1 – Subject-matter and objectives | Not applicable – No equivalent article |
Article 2 – Material scope | Section 3 – Application of Act |
Article 3 – Territorial scope | Section 4 – Territorial application |
Article 4 – Definitions | Section 2 – Interpretation |
Article 5 – Principles relating to processing of personal data | Section 21 – General data processing principles |
Article 6 – Lawfulness of processing | Section 28 – Lawfulness of processing |
Article 7 – Conditions for consent | Section 24 – Conditions for consent |
Article 9 – Processing of special categories of personal data | Section 29 – Processing of special categories of personal data |
Article 15 – Right of access | Section 37 – Right of access |
Article 16 – Right to rectification | Section 39 – Rectification, erasure or restriction of processing |
Article 17 – Right to erasure | |
Article 18 – Right to restriction of processing | |
Article 20 – Right to data portability | Not applicable – No equivalent article |
Article 21 – Right to object | Section 40 – Right to object |
Article 22 – Right to refuse automated pro-cessing | Section 38 – Right to refuse automated pro-cessing |
Article 28 – Requirements of Processor | Section 31 – Security of processing |
Article 30 – Records of processing activities | Section 33 – Records of processing activities |
Article 32 – Security of processing | Section 34 – Security of processing |
Article 33 – Notification of a personal data breach to the supervisory authority | Section 25 – Notification of data breach |
Article 34 – Communication of a personal data breach to the data subject | Section 26 – Communication of data breach to the data subject |
Article 35 – Data protection impact assessment (DPIA) | Section 34 – Data protection impact assessment (DPIA) |
Chapter V (Articles 44-50) – Transfer of per-sonal data outside the EEA/EU | Section 36 – Transfer of personal data outside Mauritius |
Article 82 – Compensation and liabilityArticle 83 – Administrative fines | Section 42 – Unlawful disclosure of personal data Section 15 – Application for registration Section 17 – Change in particulars Section 28 – Lawful processing Section 29 – Special categories of personal data Section 43 – Offence for which no specific penalty is provided |
When Mauritian law is applicable to the DPA, references to the following Articles of the GDPR in the DPA – or in otherwise in the context of the Processor providing the Services to the Controller – shall be deemed to be replaced in full with the following sections (if any) of the Mauritian Data Protection Act.
Transform Your KYC
Compliance & Security Today
