1. Scope and Definitions
This DPA applies to the extent ascentX processes personal data that is part of Customer Data (as defined in the Terms) on behalf of the customer in connection with the services. Terms such as "personal data", "processing", "controller", "processor", "data subject" and "supervisory authority" have the meanings given in applicable data protection law, including the EU/UK General Data Protection Regulation and equivalent state and national laws.
In the event of a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls. In the event of a conflict between this DPA and a signed order form regarding data processing, the signed order form controls for that conflict only.
2. Roles of the Parties
As between the parties, the customer is the controller (or, where applicable, processor or subcontracted processor acting on behalf of its own customers) of personal data within Customer Data, and ascentX is the processor, service provider or contractor acting only on the customer's instructions.
ascentX will not process personal data for any purpose other than to provide, secure, support and improve the services as instructed by the customer, as permitted by this DPA, the Terms or applicable order form, or as required by law.
3. Customer Instructions
ascentX will process personal data only on the customer's documented instructions, including those given through configuration of the services, the Terms, an order form, or this DPA, unless required to do otherwise by applicable law. If ascentX believes an instruction infringes applicable data protection law, it will inform the customer promptly.
The customer is responsible for the accuracy, quality, legality of the means by which it acquired personal data, and for ensuring it has a lawful basis to submit personal data to ascentX and to instruct the processing described in this DPA.
4. Confidentiality of Personnel
ascentX will ensure that personnel authorized to process personal data are subject to a binding written confidentiality obligation, whether by contract or statutory duty, and have received appropriate training on data protection.
5. Security Measures
ascentX will implement and maintain appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing. These measures include, as applicable: encryption of personal data in transit and at rest where appropriate, access controls and role-based permissions, audit logging, network and application security controls, and a documented incident response process.
The customer is responsible for configuring user access, source-system permissions, authentication and other account-level security controls available within the services.
6. Subprocessors
The customer provides general authorization for ascentX to engage subprocessors to support delivery of the services (for example, cloud hosting, email delivery, payment processing and similar infrastructure providers), provided ascentX imposes data protection obligations on each subprocessor that are no less protective than those in this DPA.
ascentX remains responsible for each subprocessor's performance of its data protection obligations. ascentX will make available, on request, a current list of subprocessors materially involved in processing personal data, and will provide notice of the addition of any new subprocessor with a reasonable opportunity for the customer to object on reasonable data protection grounds before that subprocessor begins processing.
7. International Transfers
Where personal data is transferred from a jurisdiction with restrictions on cross-border transfer (such as the European Economic Area, the United Kingdom or Switzerland) to a jurisdiction not recognized as providing an adequate level of protection, the parties will rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism, which will be incorporated by reference into this DPA as applicable.
8. Assistance and Audits
Taking into account the nature of processing, ascentX will provide reasonable assistance to the customer in responding to data subject requests and in meeting the customer's obligations relating to data protection impact assessments and consultations with supervisory authorities, where required by applicable law, at the customer's reasonable cost where the assistance requires material additional resources.
ascentX will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the customer or an independent auditor on the customer's behalf, subject to reasonable advance notice, confidentiality obligations, and no more than once per year absent a security incident or regulatory requirement.
9. Personal Data Breach Notification
ascentX will notify the customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data, and will provide information reasonably available to it concerning the nature of the breach, likely consequences, and measures taken or proposed to address it, to support the customer's own notification obligations under applicable law.
10. Deletion and Return of Personal Data
On termination or expiry of the Terms, and at the customer's written request made within the period stated in the Terms, ascentX will make Customer Data available for export and will delete remaining personal data within a reasonable period thereafter, except to the extent applicable law requires retention, in which case ascentX will isolate and protect that data from further processing.
11. Liability
Each party's liability arising out of or in connection with this DPA, whether in contract, tort or otherwise, is subject to the limitations and exclusions of liability set out in the Terms.
12. General
This DPA will terminate automatically on expiry or termination of the Terms. If any provision of this DPA is held unenforceable, the remaining provisions remain in full force and effect. Notices under this DPA should be sent to privacy@ascentx.dev.