Data Processing Agreement

Last updated - 9/09/2024

1. The CONTROLLER is a company that wants to make use of Tally’s tool that allows the creation, distribution and filling in of intelligent forms.

2. The Parties have concluded a service agreement, governed by Tally’s Terms and Conditions (“Principal Agreement”) for the use of PROCESSOR’s services, being the provision of a user-friendly and intuitive tool allowing for the creation, distribution and filling in of intelligent forms (“Services”).

3. As part of the Principal Agreement, the Parties wish to conclude an agreement to regulate the processing of Personal Data (hereinafter “Agreement”) pursuant to the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “Regulation”).

4. The Parties wish to lay down in this Agreement the rights and obligations of both the CONTROLLER and the PROCESSOR.

1. Definitions

1. “Agreement” shall have the meaning of the term given in preamble C;

2. “Confidential Information” shall mean all information that is disclosed to the other Party in writing or in any material form under this Agreement and that is identified as confidential or can be identified as confidential given the nature of the data or the nature of the circumstances that require the disclosure, such as, but not limited to product information, customer lists, price lists and financial information;

3. “Controller” shall mean the natural or legal person, public authority, agency or any other body which, alone or jointly with others, that determines the purposes and means of the processing of Personal Data carried out under his authority, for the purposes of this Agreement understood to be the CONTROLLER;

4. “Data Subject” shall mean an identified or identifiable natural person;

5. “Employee” means an individual who is hired by an employer and has entered into or works under a contract of employment for the provision of labour services in exchange for a wage or a fixed payment. An Employee does not provide professional services as part of an independent business. Agents, distributors, advisors, consultants, freelancers, (independent) (sub)contractors or any other third party are not considered Employees for the purposes of this Agreement;

6. “Personal Data” shall mean all information relating to a Data Subject;

7. “Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

8. “Processor” shall mean a natural or legal person, public authority, agency or any other body which is authorised to process Personal Data on behalf of the controller, such as PROCESSOR;

9. “Security Measures” shall mean those measures aimed at protecting Personal Data against accidental or unlawful destruction or loss, as well as against non-authorised access, alteration or transmission;

10. “Services” shall mean the services performed by PROCESSOR in accordance with the Principal Agreement and as explained in preamble B;

11. “Subprocessor” shall mean any processor engaged as a subcontractor by the PROCESSOR and who agrees to process Personal Data for and on behalf of the CONTROLLER in accordance with this Agreement;

12. “Supervisory Authority” shall mean an independent public authority which is established by a member state pursuant to Article 51 of the Regulation;

13. “Third Party” shall mean any party who is not a Data Subject, Controller, Processor or Subprocessor under this Agreement or a person who is authorised to process Personal Data under the direct authority of the CONTROLLER or PROCESSOR;

2. Subject-matter of the agreement

1. The CONTROLLER wishes to entrust the PROCESSOR with the processing of Personal Data. The PROCESSOR shall process the Personal Data in name of and on behalf of the CONTROLLER. For the performance of Services, the CONTROLLER is responsible for the processing of personal data, and the PROCESSOR is a data processor.

2. The PROCESSOR performs the Services in accordance with the provisions of this Agreement.

3. Both Parties explicitly commit to comply with the provisions of the relevant applicable data protection laws and shall not do or omit anything that may cause the other Party to infringe the relevant and applicable data protection laws.

4. Processing Activities. The processing carried out by the PROCESSOR in name and on behalf of the CONTROLLER relates to the Services performed by the PROCESSOR. The Processing Activities consist of:
• Account creation and management
• Form creation, distribution and completion
• Data storage

5. Categories of Personal Data. The Personal Data that are processed are:
• (Electronic) identification data
• Form data

6. Data Subjects. The Data Subjects are:
• People making use of TALLY’s Services (form creators and form respondents)
• People whose personal data is included in forms, created through TALLY’s Services, by the form creator or the form respondent

7. Purposes. The PROCESSOR shall only use the Personal Data to ensure a good performance of Services as part of the Principal Agreement in accordance with the provisions of this Agreement.

8. Only those Personal Data which are mentioned in Article 2.5 may and shall be processed by the PROCESSOR. Furthermore, Personal Data shall only be processed in light of the purposes which are determined in this Article by the Parties.

9. Notwithstanding article 2.7 and 2.8 the PROCESSOR shall be allowed to process aggregated, pseudonymized or anonymized data with regard to the use of the Services for internal purposes only, namely ensuring the security of the Services provided by the PROCESSOR and the potential improvement thereof.

10. Both Parties shall undertake to adopt appropriate measures to ensure that the Personal Data are not used improperly or acquired by an unauthorised Third Party.

3. Duration of the processing

1. This agreement shall apply as long as the PROCESSOR processes Personal Data in name of and on behalf of the CONTROLLER as part of the Principal Agreement. If the Principal Agreement comes to an end, this Agreement will also come to an end.

2. In the event of a breach of this Agreement or the applicable provisions of the Regulation, the CONTROLLER can instruct the PROCESSOR to stop further processing of the Personal Data with immediate effect.

3. In the event of the end of the Agreement, or in the event of the Personal Data no longer being relevant for the performance of the Services, the PROCESSOR shall anonymise or pseudonymise to a maximum extent the Personal Data it has received or obtained in the performance of the Services. The PROCESSOR exclusively utilizes this data for internal purposes, namely the further improvement of the Services provided by the PROCESSOR.

4. Controllers’ instructions

1. The PROCESSOR processes the Personal Data only on the documented instructions of the CONTROLLER and in any case in accordance with the agreed Processing Activities as set out in Article 2.4 of this Agreement in order to perform the Services. The PROCESSOR shall not further process the Personal Data subject to this Agreement in a manner which is incompatible with these instructions and the provisions laid down in this Agreement.

2. The CONTROLLER can make limited changes to the instructions unilaterally. The PROCESSOR shall be consulted before any significant changes are made to the instructions. Changes affecting the core of the Agreement must be agreed upon by both Parties.

3. The PROCESSOR processes the Personal Data in accordance with Article 4.1 of this Agreement, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which PROCESSOR is subject; in such a case, the PROCESSOR shall inform the CONTROLLER of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

5. Assistance to the controller

1. Compliance with legislation. The PROCESSOR shall assist the CONTROLLER in ensuring compliance with its obligations pursuant to the Regulation, taking into account the nature of processing and the information available to the PROCESSOR.

2. Personal Data Breach. In the case of a Personal Data Breach related to the subject of the processing of this Agreement, the PROCESSOR shall notify the CONTROLLER without undue delay after becoming aware of a Personal Data Breach. This notification shall at least include following information:
1. The nature of the Personal Data Breach;
2. The categories of Personal Data that are affected;
3. The categories and approximate number of Data Subjects concerned;
4. The categories and approximate number of personal data records concerned;
5. The likely consequences of the Personal Data Breach;
6. Measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

3. In case the PROCESSOR makes use of a Subprocessor, the PROCESSOR shall require the Subprocessor to provide it with the same information when a Personal Data Breach takes place at the Subprocessor. The PROCESSOR shall promptly relay the information received from the Subprocessor to the CONTROLLER.

4. The PROCESSOR and its Subprocessor(s) shall appoint among their Employee a single point of contact who shall be responsible for all communication between the PROCESSOR, the Subprocessor(s) and the CONTROLLER in the event of an incident which has led or may lead to an accidental or non-authorised destruction or loss or a non-authorised access, alteration or transmission of the Personal Data processed on behalf of CONTROLLER.

5. The CONTROLLER shall exclusively decide, at its own discretion and in compliance with the relevant and applicable data protection laws, whether or not Data Subjects whose Personal Data have been impacted by a Personal Data Breach shall be notified of this. It is the responsibility of the CONTROLLER to notify the Supervisory Authority of a Personal Data Breach.

6. The Parties, and if applicable the Subprocessor(s) shall ensure to work together in good faith to limit possible adverse effects of a Personal Data Breach.

7. Data Processing Impact Assessment (DPIA). Furthermore, the PROCESSOR shall assist the CONTROLLER as it carries out a Data Protection Impact Assessment in accordance with Article 35 of the Regulation. However, the PROCESSOR, at its own discretion, is free to charge additional costs for the performance of these services. These costs shall at all times be in relation to the delivered performances.

6. Information obligations

• All relevant details regarding its own corporate structure, as well as accurate and up-to-date identifying information on all of PROCESSORS’ entities involved in the processing of Personal Data, including the location of their main establishment;

• Without prejudice to what has been agreed in Article 9, the aspects of the processing that rely or intend to rely on the Services of a Subprocessor, as well as the identification data of a Subprocessor including the location of its main establishment, and the PROCESSOR shall relay to the CONTROLLER the agreement with the Subprocessor(s) which pertains or is relevant to the processing of Personal Data, unless where such agreement with the Subprocessor(s) contains Confidential Information, in which case it may remove such Confidential Information;

• Geographical details of processing locations, including back-up and redundancy facilities;

• The physical, organisational, technical and logical Security Measures that the PROCESSOR and its Subprocessor(s) have implemented, as set out in Article 11 of this Agreement.

7. Processors’ obligations

1. The PROCESSOR shall handle all reasonable requests of the CONTROLLER concerning the processing of Personal Data related to this Agreement, immediately or within a reasonable time (depending on the legal obligations defined in the Regulation) and in a proper manner.

2. The PROCESSOR guarantees that there are no obligations that arise from any applicable legislation that make it impossible to comply with the obligations of this Agreement.

3. The PROCESSOR undertakes to not process Personal Data for another purpose than the performance of the Services and the compliance with the responsibilities of this Agreement in accordance with the documented instructions of the CONTROLLER; if the PROCESSOR, for any reason, cannot comply with this requirement, he shall notify the CONTROLLER without delay thereabout.

4. The PROCESSOR shall notify the CONTROLLER without delay if he is of the opinion that an instruction from the CONTROLLER violates the applicable legislation related to data protection.

5. The PROCESSOR shall ensure that the access to, the inspection, the processing and the disclosure of Personal Data shall only take place in accordance with the principle of proportionality and the ‘need-to-know’ principle (i.e. data are only disclosed to the persons that require Personal Data for the performance of the Services).

6. The PROCESSOR shall undertake to not disclose Personal Data to other persons than the Employees of the CONTROLLER who need the Personal Data to comply with the obligations of this Agreement, and shall ensure that the relevant Employee shall commit themselves to confidentiality or are under a statutory obligation of confidentiality unless such disclosure is foreseen under the Principal Agreement.

7. As of the 25th of May 2018 the PROCESSOR has the obligation to create and maintain a record of processing activities related to this Agreement; the PROCESSOR shall make the record available upon first request of the CONTROLLER, an auditor appointed by the CONTROLLER and/or the Supervisory Authority.

8. Controllers’ obligations

1. The CONTROLLER shall render all assistance needed and shall cooperate in good faith with the PROCESSOR in order to ensure that all processing of Personal Data complies with the requirements of the Regulation particularly with the principles relating to processing of Personal Data.

2. The CONTROLLER shall agree with the PROCESSOR on appropriate communication channels in order to ensure that instructions, directions and other communications regarding Personal Data that are processed by the PROCESSOR on behalf of the CONTROLLER is well received between the Parties. The CONTROLLER shall notify the PROCESSOR of the identity of the single point of contact at the CONTROLLER that the PROCESSOR is required to contact in application of this Article 8.2.

3. The CONTROLLER warrants that it shall not issue any instructions, directions or requests to the PROCESSOR, which do not comply with the provisions of the Regulation.

4. Without prejudice to Article 14.2 of this Agreement, the CONTROLLER shall render the assistance needed for the PROCESSOR and/or its Subprocessor(s) to comply with a request, order, inquiry or subpoena directed at the PROCESSOR or its Subprocessor(s) by a competent national governmental or judicial authority.

5. The CONTROLLER warrants that it shall not issue instructions, directions or requests to the PROCESSOR which would require the PROCESSOR and/or its Subprocessor(s) to violate any obligations imposed by applicable mandatory national law to which the PROCESSOR and/or its Subprocessor(s) are subject.

6. The CONTROLLER warrants that it shall cooperate in good faith with the PROCESSOR in order to mitigate the adverse effects of a security incident impacting Personal Data processed by the PROCESSOR and/or its Subprocessor(s) on behalf of the CONTROLLER.

9. The use of subprocessors

1. The CONTROLLER acknowledges and agrees that the PROCESSOR has engaged Subprocessors to help deliver the Services of the PROCESSOR. The CONTROLLER gives by means of this Agreement his general authorisation to the PROCESSOR to work with Subprocessors. Parties agree that the main Subprocessors engaged by the PROCESSOR deliver the Services of the PROCESSOR to the CONTROLLER (as agreed in the Principal Agreement) shall be qualified as Substantial Subprocessors. If the PROCESSOR wishes to change or involve a new Substantial Subprocessor, the CONTROLLER shall be notified thereof and be given the opportunity to communicate any reasonable concerns the CONTROLLER might have with such replacement or addition of a Substantial Subprocessor.

2. Without prejudice to the foregoing, the Parties agree that the PROCESSOR shall not be required to disclose the identity of each Subprocessor (categories of Subprocessor shall suffice in combination with the information set forth in Article 5.3, 6 and 7 with regard to Subprocessors). Notwithstanding the above, the CONTROLLER can at all times request the PROCESSOR to disclose the identity of a Substantial Subprocessor and the PROCESSOR shall do so if such disclosure does not constitute a breach of any confidentiality engagement or trade secret provision the PROCESSOR has entered into with the relevant Substantial Subprocessor. If the PROCESSOR cannot disclose the identity of a Substantial Subprocessor, the PROCESSOR shall be obliged to provide a formal justification in writing.

3. The PROCESSOR shall ensure that its Subprocessors will be bound to the same obligations with respect to Personal Data as to which the PROCESSOR is bound by this Agreement.

4. The PROCESSOR shall relay the purposes determined and instructions issued by the CONTROLLER in an accurate and prompt manner to the Subprocessor(s) when and where these purposes and instructions pertain to the part of the processing in which the Subprocessor(s) is(are) involved.

5. As part of this Agreement the PROCESSOR makes use of the following categories of Subprocessors in order to ensure the performance of the Services to the Data Subjects.
• Hosting service providers
• Payment service providers
• Communication service providers

10. Rights of the data subjects

1. Taking into account the nature of the processing, the PROCESSOR assists the CONTROLLER by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the CONTROLLER’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the Regulation.

2. With respect to any request from Data Subjects regarding their rights concerning the processing of Personal Data pertaining to them by the PROCESSOR and/or its Subprocessor(s), the following conditions apply:
• The PROCESSOR shall on a best efforts basis promptly inform the CONTROLLER of any request made by a Data Subject with regard to the Personal Data the PROCESSOR and/or its Subprocessor(s) processes on behalf of the CONTROLLER, without giving any consequence to such request unless explicitly authorised by the CONTROLLER to do so;
• The PROCESSOR shall promptly comply and shall require its Subprocessor(s) to promptly comply with any request made by the CONTROLLER in order for the CONTROLLER to comply with a request made by the Data Subject who wishes to exercise one of its rights;
• The PROCESSOR shall ensure that both it and its Subprocessor(s) have the technical and organisational capabilities required to block access to Personal Data and to physically destroy data with no means of recuperation if and when such request is made by the CONTROLLER;
• The PROCESSOR shall, upon simple request of the CONTROLLER and upon best efforts basis render all assistance required and provide all information necessary for the CONTROLLER to defend its interests in any proceedings – legal, arbitral or others – brought against the CONTROLLER or its Employee for any violation of fundamental rights to privacy and protection of Personal Data of Data Subjects.

11. Security measures

1. Throughout the term of this Agreement the PROCESSOR shall have in place and maintain appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the Data Subject.
The PROCESSOR shall amongst others have in place technical and organisational measures against unauthorised and unlawful processing, and shall on a regular basis evaluate and adjust if required, the appropriateness of the Security Measures.

2. More in particular, the PROCESSOR shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, according to Article 32 of the Regulation.

3. In assessing the appropriate level of security, account was taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

4. The CONTROLLER reserves the right to suspend and/or terminate the Principal Agreement, where the PROCESSOR can no longer provide for technical and organisational measures appropriate to the risk of processing.

5. The PROCESSOR has implemented, amongst others, but not limiting to, the general physical, logical, technical and organisational security measures set out in Schedule I to this Agreement.

12. Audit

1. The PROCESSOR acknowledges that the CONTROLLER is under the supervision of several/a Supervisory Authority/ies. The PROCESSOR acknowledges that the involved Supervisory Authority will have the right to perform an audit at any time and at least during normal business hours of the PROCESSOR, during the term of this Agreement to assess the PROCESSOR’s compliance with the Regulation and the provisions of this Agreement. The PROCESSOR shall provide the necessary cooperation.

2. The PROCESSOR shall appoint every two (2) years an independent auditor to perform such audit. The final results of such audit report (without any confidential information) shall be communicated to the CONTROLLER upon first request. The PROCESSOR shall bear the costs of such audit.

3. The CONTROLLER shall only have a right to audit the PROCESSOR if the CONTROLLER has justifiable grounds to request such audit and if such grounds are communicated and demonstrated in writing to the PROCESSOR. Justifiable grounds shall mean a (strong presumption of) a data breach in the meaning of Article 4 of the GDPR (and in the case of an actual data breach if such data breach has not been notified and no remediation actions have been taken), destruction of confidential Personal Data or a material breach of any of the PROCESSOR’s obligations under this Agreement).

4. In such event and upon written request of the CONTROLLER, the PROCESSOR will provide an independent third party, certified auditor, appointed by the CONTROLLER or the involved Supervisory Authority access to the relevant parts of the administration of the PROCESSOR and all locations and information of interest of the PROCESSOR (and those of its agents, subsidiaries and sub-contractors) to determine if the PROCESSOR is compliant with the Regulation and the provisions of this Agreement. On request of the PROCESSOR, the concerned parties shall agree a confidentiality agreement.

5. The CONTROLLER shall take all appropriate measures to minimise any obstruction caused by the audit on the daily functioning of the PROCESSOR or the Services performed by the PROCESSOR.

6. If there is agreement between the PROCESSOR and the CONTROLLER on a material shortcoming in the compliance with the Regulation and/or the Agreement, as revealed in the audit, the PROCESSOR shall remedy this shortcoming as soon as possible. The Parties can agree to have a plan in place, including a timescale to implement this plan, to respond to the shortcomings revealed in the audit.

7. The CONTROLLER will bear the costs of any performed audit in the meaning of this Article. Although, when the audit has revealed that the PROCESSOR is manifestly not compliant to the Regulation and/or the provisions of this Agreement, the PROCESSOR shall bear the costs of such audit.

13. Transfer to third parties

14. International transfer

1. The Parties agree that Personal Data can only be transferred to and/or kept with the recipient outside the European Economic Area (EEA) in a country that not falls under an adequacy decision issued by the European Commission by exception and only if necessary to comply with the obligations of this Agreement. Such transfer shall be governed by the terms of a data transfer agreement containing standard contractual clauses as published in the Decision of the European Commission of June 4, 2021 (Decision (EU) 2021/914), or by other mechanisms foreseen by the applicable data protection law.

2. The PROCESSOR shall prior to the international transfer inform the CONTROLLER about the particular measures taken to guarantee the protection of the Personal Data of the Data Subject in accordance with the Regulation.

15. Conduct in relation to national governmental and judicial authorities

1. The PROCESSOR shall inform the CONTROLLER immediately of any request, order, inquiry or subpoena by a competent national governmental or judicial authority directed at the PROCESSOR or its Subprocessor which entails the communication of Personal Data processed by the PROCESSOR or a Subprocessor for and on behalf of the CONTROLLER or any data and/or information associated with such processing.

2. Without prejudice to article 15.1 of this Agreement, the PROCESSOR warrants that there are no obligations of applicable statutory law, which make it impossible for the PROCESSOR to comply with its obligations under this Agreement.

16. Intellectual property rights

17. Confidentiality

1. The PROCESSOR commits itself to handle the Personal Data and its processing with utter confidentiality. The PROCESSOR shall guarantee the confidentiality with measures that are not less restrictive than the measures he uses to protect his own confidential material, including Personal Data.

2. The PROCESSOR ensures that employees or the Subprocessors authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

18. Liability

1. The CONTROLLER is liable for damage caused by processing in violation of the Regulation. Without prejudice to the Principal Agreement, the PROCESSOR is liable for the damage caused by processing only where it has not complied with the obligations of the Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the CONTROLLER.

2. A Party is liable (contractual or in tort/delict (including default) or by any means associated with this Agreement, including liability for severe misconduct) for verified shortcomings attributable to her. The liability of the Parties for a breach under this Agreement, shall be limited to suffered foreseeable, direct and personal damages, with the exclusion of consequential damage (even if informed about the possibility of such consequential damage or if the likelihood of such consequential damage was reasonably foreseeable), where ‘’consequential damage’’ means: damage or loss that did not derive directly and immediately from a breach of contract and/or extracontractual non-performance, but instead indirectly and/or after a certain lapse of time, including, but not limited to loss of income, interruption or stagnation of operations, increase of staff costs and/or the costs of staff cuts, damage consisting of or as a result of claims from third parties, lack of expected savings or advantages and loss of data, profit, time or income, loss of orders, loss of customers, increase of overhead costs, consequences of a strike, irrespective of the causes.

3. If it appears that both the CONTROLLER and the PROCESSOR are responsible for the damage caused by the processing of Personal Data, both Parties shall be liable and pay damages, in accordance with their individual share in the responsibility for the damage caused by the processing.

4. In any event the total liability of the PROCESSOR under this Agreement shall be limited to the cause of damage and to the amount that equals the total amount of fees paid by the CONTROLLER to the PROCESSOR for the delivery and performance of the Services for a period not more than twelve months immediately prior to the cause of damages. In no event shall the PROCESSOR be held liable if the PROCESSOR can prove he is not responsible for the event or cause giving rise to the damage.

19. Mediation and jurisdiction

1. The PROCESSOR agrees that if the Data Subject invokes against it claims for damages under this Agreement, the PROCESSOR will accept the decision of the Data Subject:
• To refer the dispute to mediation by an independent person;
• To refer the dispute to the courts in Ghent, Belgium

2. The Parties agree that the choice made by the Data Subject will not prejudice the Data Subject’s substantive or procedural rights to seek remedies in accordance with other provisions of applicable national or international law.

3. Any dispute between the Parties regarding the terms of this Agreement shall be brought before the competent courts as determined in the Principal Agreement.

20. Termination of the agreement

1. This Agreement shall apply as long as the PROCESSOR processes Personal Data on behalf of the CONTROLLER.

2. In the event of breach of this Agreement or the Regulation, the CONTROLLER can instruct the PROCESSOR to stop further processing of the information with immediate effect.

3. The PROCESSOR shall not store the data any longer than needed to perform the Service for which the data is provided. At the choice of CONTROLLER, the PROCESSOR shall delete or return all the Personal Data to the CONTROLLER after the end of the provision of Services in relation to processing, and deletes existing copies, and will certify that it has done so, unless Union or Member State law requires storage of the Personal Data. The Personal Data shall be provided to the CONTROLLER without charge, unless otherwise agreed upon.

21. General provisions

1. This Agreement constitutes the entire understanding and agreement between the Parties with respect to the subject matter hereof and supersedes all prior discussions, negotiations, understandings, and agreements, whether oral or written.

2. TALLY may amend this Agreement at any time and is expressly committed to ensuring that any amendment complies with applicable ethical principles and legislation (including the Regulation). Amendments will be effective thirty (30) days following their publication through a written notification. Following this period, the CUSTOMER will be considered to have tacitly accepted the changes. The most recent version of this Agreement will always be available on TALLY’s website (www.tally.so) for easy access and review.

SCHEDULE I - TOM

Description of Technical & Organizational Measures

• TALLY has implemented organizational security practices and ensures compliance with those.

• TALLY has nominated an appropriate individual to hold accountability for ensuring technical and organizational compliance with security and data protection controls as defined regulations, contracts, and TALLY’ own policies.

• TALLY has or ensures that measures are in place to counteract and / or ensure timely recovery of its IT systems storing or processing data, or IT systems otherwise supporting the Services provided, in case of an incident or disaster.

• TALLY ensures the integrity and availability of information and information processing facilities is ensured through back-ups of information, code and software.

• Security practices for handling and storage of information are applied by TALLY and its staff to protect information from unauthorized disclosure or misuse.

• TALLY ensures media is disposed of securely and safely when it is no longer required.

• TALLY ensures that system documentation is protected against unauthorized access.

• TALLY maintains the security of information and software exchanged within its organization and with any third party; this includes exchange agreements, physical media in transit, electronic messaging and the protection of information associated with the interconnection of business information systems.

• TALLY has established and implemented logical access controls to ensure authorized access to users and to prevent unauthorized access, in particular, to sensitive personal data.

• TALLY ensures that key resources that support the Services are protected by multi-factor authentication.

• TALLY has processes in place to manage access for staff joiners, movers and leavers to ensure access rights allocation is properly approved, remains in line with least-privilege principles, and is timely removed where needed.

• TALLY periodically reviews user access rights to ensure that the allocation and use of privileges are controlled and restricted where necessary.

• In higher risk situations TALLY has supplemented existing access controls with encryption solutions both for data at rest as in transit.

• Higher risk situations include (but are not limited to):
• Data processed on behalf of the CUSTOMER
• Personal Data

• TALLY ensures that networks and network controls under its scope of responsibility and directly affecting the Services in scope are adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit.

• TALLY ensures that all employees, contractors and third-party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their work.

• TALLY ensures that its employees, contractors and third party users that handle personal data (including pseudonymized personal data) are aware of the definition of personal data and special categories of personal data as defined under GDPR.

• TALLY ensures that where relevant, all employees, contractors and third-party users receive appropriate awareness training.

• TALLY ensures that its employees use institutional e-mail addresses and other institutional pre-authorized collaboration tools when communicating or transferring data and/or personal data.

• TALLY ensures that the appropriate security perimeters and entry controls are in place to prevent unauthorized physical access, damage and interference to TALLY ’s premises and information including all end user devices.

• TALLY ensures that equipment is correctly maintained to ensure its continued availability and integrity.

• TALLY ensures their security practices includes data retention and data destruction policies and security standards.

• TALLY ensures all data is deleted, anonymized or otherwise disposed of at the end of its retention period, especially when it relates to personal data.

• TALLY ensures appropriate controls are implemented to prevent records from loss, destruction or falsification during their retention period.

• TALLY periodically follows up on vulnerabilities published or disclosed related to its systems and place, and takes appropriate action to reduce risks resulting from exploitation of published technical vulnerabilities.

• TALLY embeds the necessary security vulnerability testing practices in its development process.

• TALLY has practices in place to ensure a quick, effective and orderly response to security incidents and to report and manage information security incidents and weaknesses.

• TALLY has security practices in place to check for security events to detect unauthorized information processing activities.

• TALLY has deployed anti-malware defenses.

• TALLY ensures it works with reputable third parties, especially when such third parties would also be considered (sub-)processors of personal data.

• TALLY puts in place the necessary data processing agreements, ensure relevant security clauses are included in contracts, and also reviews and obtains the third party’s independent assurance reports or certificates where such is relevant and available (e.g. ISO 27001, ISO 27701 or SOC 2 Type II report).

SCHEDULE II - STANDARD CONTRACTUAL CLAUSES

SECTION I

1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (1) for the transfer of personal data to a third country.

2. The Parties:

3. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

4. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

1. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

2. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

2. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

3. Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

4. Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

5. Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

6. Clause 13;

7. Clause 15.1(c), (d) and (e);

8. Clause 16(e);

9. Clause 18 – Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.

10. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

SECTION II – OBLIGATIONS OF THE PARTIES

1. The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

2. The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

3. The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

4. After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

1. The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data (7), the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

2. The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

3. The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

1. The Parties shall be able to demonstrate compliance with these Clauses.

2. The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

2. Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

3. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

4. The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

5. The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
2. the data importer is in substantial or persistent breach of these Clauses; or
3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

4. In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

5. Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

6. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

ANNEX I

• People making use of Tally’s services (form creators and form respondents)

• People whose personal data is included in forms, created through Tally’s services, by the form creator or the form respondent

• (Electronic) identification data

• Form data

• In essence no sensitive data is transferred, unless so included by users in created forms through Tally’s services or in responses to such forms.

• Tally takes appropriate technical and organizational measures, in accordance with article 32 GDPR, and as set out in article 11 of the Agreement.

• The frequency of the transfer will be dictated by the use of Tally’s services by form creators and form respondents (continuous basis).

• Personal data will be collected (and stored) through Tally’s services and subsequently made available to form creators and form respondents.

• Allowing for the use of Tally’s services by form creators and form respondents.

• Personal data will be retained for the duration of the contractual relationship between Tally, acting as Processor, and its customer, acting as Controller (unless a longer retention period is mandated by law).

• Notwithstanding the above, Personal Data will be deleted when the form creator/form respondent deletes its account, or the form creator deletes the form.

• Tally makes use of the categories of sub-processors as set out in article 9 of the Agreement. Any such processing takes place for the duration of the contractual relationship between Tally, acting as Processor, and its customer, acting as Controller (unless a longer retention period is mandated by law).

ANNEX II

ANNEX III