Data Processing Addendum



This Data Processing Addendum (“Addendum”) is between eCIO, Inc. (“eCIO”) and the customer entity utilizing eCIO Services (“Customer”). This Addendum amends and forms part of the service agreement(s) between the parties that reference this Addendum (including, without limitation, the eCIO Terms of Service (SAAS), if applicable) which respectively govern the technical support services and/or software-as-a-service solutions provided by eCIO to Customer (“Services”) (together, the “Agreement”). In the event that any terms and conditions contained herein are in conflict with the terms and conditions set forth in the Agreement, the terms and conditions set forth in this Addendum shall be deemed to be the controlling terms and conditions. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. In the course of providing the Services to Customer pursuant to the Agreement, eCIO may process personal data on behalf of Customer. This Addendum sets out the additional terms, requirements and conditions on which eCIO will process personal data as far as such processing relates to the performance of the Services.

1. Processing of Personal Data.

1.1. Roles of the Parties. The parties acknowledge that for the purposes of the Data Protection Legislation and solely in respect of personal data submitted by or on behalf of Customer to eCIO for processing in the course of providing the Services, Customer is the controller and eCIO is the processor. As used in this Addendum, “Data Protection Legislation” means all applicable privacy and data protection laws including (i) the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and any applicable national implementing laws, regulations and secondary legislation including the UK Data Protection Act 2018, (ii) the Privacy and Electronic Communications Directive (2002/58/EC) and any applicable national implementing laws including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), and (iii) any replacement legislation implemented by the United Kingdom (“UK”) pursuant to the withdrawal of the UK from the European Union, in each case as amended, replaced or updated from time to time. Where used in this Addendum, the terms “controller”, “processor”, “data subject”, “personal data”, “personal data breach” and “processing” (including “process”) shall have the meanings given to them or to similar terms in the applicable Data Protection Legislation.

1.2. Details of Processing. Both parties will comply with all applicable requirements of the Data Protection Legislation. Customer appoints eCIO as a processor to process such personal data on behalf of Customer, and in accordance with Customer’s documented instructions. The scope of such instructions are initially defined by the Agreement. eCIO shall inform Customer if, in its opinion, an instruction infringes the Data Protection Legislation, or if it cannot comply with Customer’s documented instructions for whatever reason. In any such case, the parties shall work together to find an alternative. If eCIO notifies Customer that neither the instruction nor an alternative is feasible, Customer may terminate the affected Services in accordance with the terms of the Agreement. Any previously accrued rights and obligations will survive such termination. Customer acknowledges that certain specific instructions may result in additional fees payable by Customer to eCIO for carrying out those instructions. Annex A sets out the scope, nature and purpose of processing by eCIO, the duration of the processing and the types of personal data and categories of data subject.

1.3. Customer Responsibilities. Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to eCIO for the duration and purposes of this Addendum. Customer shall not cause eCIO to violate any applicable laws in its processing of the personal data in accordance with Customer’s instructions.

1.4. California Consumer Privacy Act (“CCPA”). eCIO is a “Service Provider” as defined in CCPA Section 1798.140(v). Customer discloses personal data to eCIO solely for: (i) a valid business purpose; and (ii) eCIO to perform the Services. eCIO is prohibited from: (i) selling Customer’s personal data; (ii) collecting, retaining, using, or disclosing Customer’s personal data for any purpose other than providing the Services to Customer; and (iii) collecting, retaining, using, or disclosing Customer’s personal data outside of the direct business relationship between eCIO and Customer. eCIO certifies that it understands the prohibitions outlined in this Section 1.4 and will comply with them. Customer understands and agrees that eCIO may use sub-processors to provide the Services and process personal data on Customer’s behalf in accordance with Section 7 below. The parties agree that any monetary consideration provided by Customer to eCIO is provided for the provision of the Services and not for the provision of personal data.

2. Security.

2.1. Security Measures. eCIO shall ensure that is has in place appropriate technical and organizational measures to protect against a personal data breach, appropriate to the harm that might result from the personal data breach and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. Such measures are set out in Appendix 2 of Annex B.

2.2. Breach Notification. eCIO shall, to the extent permitted by law, notify Customer without undue delay upon discovery of a personal data breach that is connected to Customer.

  1. Personnel. eCIO shall ensure that all personnel who process, or have access to, personal data have committed themselves to keep the personal data confidential in accordance with eCIO’s confidentiality obligations under the Agreement.
  1. Cooperation with Customer. Taking into account the nature of the processing and the information available to eCIO, eCIO shall reasonably assist Customer, at Customer’s expense, in responding to any request from a data subject exercising its rights (such as rights to rectification, erasure, blocking, accessing their personal data, objection, restriction of processing, data portability, and the right not to be subject to automated decision making) and in responding to any inquiries from, or communicating with, a data protection regulator or data subject (including with regard to a personal data breach), and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
  1. Return and Deletion of Personal Data. At the written direction of Customer, eCIO shall delete or return personal data and copies thereof to Customer following termination of the Agreement unless required by applicable law (including any Data Protection Legislation) to store the personal data.


6.1. Audit Requirements. The parties acknowledge that Customer must be able to assess eCIO’s compliance with its obligations under Data Protection Legislation, to the extent that eCIO is acting as a processor on behalf of Customer. Customer further agrees that the audits described in Section 6.2 below meet Customer’s audit requirements, and Customer agrees to exercise any right it may have to conduct an inspection or audit (including under the Standard Contractual Clauses, as applicable) by written notice to eCIO to carry out the audits described in Section 6.2.

6.2. Audit Procedures. Upon not less than thirty (30) days’ advance written notice to eCIO and no more frequently than once annually, with eCIO’s reasonable costs of complying with any such request to be met by Customer, eCIO shall (i) make available all information necessary to demonstrate to Customer its compliance with Article 28 of the GDPR, including without limitation, executive summaries of its information security and privacy policies, and (ii) cooperate with and respond promptly to Customer’s reasonable privacy and/or security questionnaire(s). Notwithstanding the above, if Customer’s request for audit occurs during eCIO’s quarter or year end, or such other time during which eCIO cannot reasonably accommodate such request, the parties shall mutually agree on an extension to the thirty (30) days’ advance written notification. Customer shall execute a confidentiality agreement in form and substance reasonably satisfactory to eCIO prior to such audit. For the avoidance of doubt, nothing contained herein will allow Customer to review data pertaining to eCIO’s other customers or partners. Customer shall bare its own costs and expenses with respect to the audits described in this Section 6.2. The parties shall use all reasonable endeavours when exercising rights under this Section 6 to minimize disruption to eCIO’s business activities.

7. Sub-Processors.

7.1. Use of Sub-Processors. Customer provides general written authorization for: (a) eCIO to engage with sub-processors, (b) eCIO to engage eCIO’s Affiliates as sub-processors and (c) eCIO’s Affiliates to engage third-party sub-processors (including other Affiliates as sub-processors). For purposes of this Addendum, “Affiliate” means an entity controlling, controlled by, or under common control with a party (an entity will be deemed to have control if it owns over 50% of another entity). eCIO and its Affiliates may engage such sub-processors to process personal data for the purposes set forth in Section 1 and Annex A, provided that:

7.1.1. eCIO has entered into a written agreement with the third-party processor containing data protection terms that require it to protect the personal data to the same standard required under this Addendum; and

7.1.2. eCIO remains liable for the acts and omissions of its sub-processors to the same extent eCIO would be liable if performing the Services of each sub-processor directly under the terms of this Addendum.

8. International Transfers of Personal Data.

8.1. Transfers Outside the EEA, UK or Switzerland. If eCIO transfers any personal data under this Addendum out of the European Economic Area (“EEA”), UK or Switzerland (including from the EEA to the UK following the expiry of any relevant transition period following the withdrawal of the UK from the European Union during which transfers of personal data to the UK from the EEA are permitted without the use of an appropriate safeguard described in Article 46 of the GDPR), eCIO will take such measures as are necessary to ensure the transfer is in compliance with the Data Protection Legislation. Such measures may include, without limitation, transferring the personal data to a recipient (i) in a country that the European Commission has decided provides adequate protection for personal data; (ii) that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Legislation; or (iii) that has entered into the Standard Contractual Clauses with eCIO.

8.2. Standard Contractual Clauses. To the extent that eCIO processes any personal data under this Addendum that originates from the EEA, UK or Switzerland in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for personal data, the parties agree to enter into the Standard Contractual Clauses. As used in this Addendum, “Standard Contractual Clauses” means the European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, which are hereby incorporated into and form part of this Addendum. The parties hereby agree that data processing details set out in Annex A of this Addendum shall apply for the purposes of Appendix 1 of the Standard Contractual Clauses and the technical and organizational security measures set out in Annex B of this Addendum shall apply for the purpose of Appendix 2 to the Standard Contractual Clauses. eCIO shall be deemed the “data importer” and Customer the “data exporter” under the Standard Contractual Clauses, and the parties will comply with their respective obligations under the Standard Contractual Clauses. Customer grants eCIO a mandate to execute the Standard Contractual Clauses with any relevant subprocessor (including eCIO Affiliates) it appoints on behalf of Customer. Unless eCIO notifies Customer to the contrary, if the European Commission subsequently amends the Standard Contractual Clauses at a later date, such amended terms will supersede and replace any Standard Contractual Clauses executed between the parties. Unless eCIO notifies Customer to the contrary, if the European Commission subsequently introduces standard contractual clauses for the transfer of personal data from processors in the European Union to subprocessors established in third countries (processor-to-subprocessor transfers) at a date later than the Effective Date of this Addendum, such processor-to-subprocessor clauses will supersede and replace any Standard Contractual Clauses executed between the parties, where relevant.

8.3. Alternative Data Export Solution. The parties agree that the data export solution identified in Section 8.2 will not apply if and to the extent that Customer adopts an alternative data export solution for the lawful transfer of personal data (as recognized under the Data Protection Legislation) outside of the EEA, UK or Switzerland, in which event, Customer shall reasonably cooperate with eCIO to implement such solution and such alternative data export solution will apply instead (but solely to the extent such alternative data export solution extends to the territories to which personal data is transferred under this Addendum).

9. Miscellaneous.

9.1. Entire Agreement. This Addendum shall replace and supersede any existing data processing addendum, attachment or exhibit (including any Standard Contractual Clauses) between the parties.

9.2. Liability. Notwithstanding anything to the contrary in the Agreement or this Addendum, the liability of each party and each party’s Affiliates under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement or, in the absence of such a provision in the Agreement, the following will apply: (a) in no event will either party’s maximum aggregate liability arising out of or related to the Agreement or this Addendum, exceed the total amount paid or payable to eCIO under the Agreement during the twelve (12) month period preceding the date of initial claim, and (b) neither party will have any liability to the other party for any loss of profits or revenues, loss of goodwill, loss or corruption of data or for any indirect, special, incidental, consequential or punitive damages arising out of, or in connection with the Agreement or this Addendum.

9.3. Governing Law. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

9.4. Termination of Addendum. This Addendum will terminate simultaneously and automatically with the termination or expiry of the Agreement.


Subject matter and duration of the processing of Customer personal data:

The subject matter and duration of the processing of the Customer personal data are set out in the Agreement and this Addendum.

The nature and purpose of the processing of Customer personal data:

eCIO will process personal data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer (as expressly set forth in this Addendum) in its use of the Services.

The types of Customer personal data to be processed:

Customer may submit personal data to eCIO to enable eCIO to perform the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include (depending on the nature of the Services):

  • First and last name and title;
  • Employer / Affiliated Organization;
  • Contact information (email, username, photo, logo, mobile phone number, physical business address, social media links);
  • Device identification data (Device ID);
  • Electronic identification data (IP address; MAC address);
  • Technical data (operating system information; software logs; crash reports);
  • Username and password to eCIO Services; and

The categories of data subject to whom the Customer personal data relates:

Customer may submit personal data to eCIO to enable eCIO to perform the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which include:

  • Customers, business partners, and vendors of Customer (who are natural persons)
  • Employees or contact persons (both of whom are natural persons) of Customer customers, business partners, and vendors
  • Employees, agents, advisors, contractors, or any user authorized by Customer to use the Services (who are natural persons)


eCIO shall maintain administrative, physical and technical safeguards designed to protect the security, confidentiality and integrity of Customer’s Personal Data processed by eCIO as part of the Services.

Last updated: March 5th, 2021