This Data Processing Addendum (hereinafter: the “DPA”) supplements and forms an integral part of the Terms of Service for the Sketch Platform available at www.sketch.com (hereinafter: the “Terms”) as concluded between You (hereinafter: “Controller”) and Sketch (hereinafter: “Processor”). You and Sketch are hereinafter collectively also referred to as “Parties” and separately as a “Party”.
By accepting the terms of this DPA, You represent that You have the authority to bind Controller to this DPA.
- The Parties have agreed that Processor shall provide certain services to Controller (hereinafter: the “Service”), as further set out in the Terms of which this DPA forms an integral part;
- As part of the delivery of the Service, Processor will process personal data on behalf of Controller; and
- The Parties wish to set out their rights and obligations in respect of such processing of personal data in this DPA.
Hereby agree as follows:
In this DPA, the following terms, whether single or plural, shall have the meaning assigned to them in this Paragraph:
- “Applicable Legal Requirements” — any and all international, European Union, national, provincial or local law, regulation, order, statute, administrative order or treaty, judgment, court order, code of conduct (whether or not binding), guidance or any other requirement of any relevant government or government agency or regulatory authority, as they apply to either or both of the Parties in the performance of the Terms.
- “Controller Personal Data” — any information relating to an identified or identifiable natural person, which is either supplied by Controller to Processor, or which is collected or generated by Processor, in both cases in order for Processor to provide its services under the Terms, and as further described in SCHEDULE A – DETAILS OF PROCESSING.
- “Data Breach” — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed by Processor.
- “Data Subject Request” — the exercise by a Data Subject of their rights under, and in accordance with, the GDPR.
- “Data Subject” — a natural person whose personal data is processed in the performance of the Terms.
- ”Effective Date” — the later of: (i) the date the Parties entered into the Terms; or (ii) the date this DPA was accepted by You.
- ”GDPR” — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- “Restricted Country” — a country or territory outside the European Economic Area that does not benefit from an adequacy decision by the European Commission.
- “Restricted Transfer” — (i) a transfer of Controller Personal Data from Controller to Processor in a Restricted Country; or (ii) an onward transfer of Controller Personal Data from Processor to a Subprocessor in a Restricted Country.
- “Standard Contractual Clauses” — the standard data protection clauses issued by the European Commission (from time to time) for the transfer of personal data from controllers established inside the European Economic Area (EEA) to processors established in a Restricted Country.
- “Subprocessor” — a third party that Processor uses to process Controller Personal Data in order to provide parts of the Service and/or related technical support.
- “Terms” — the Terms of Service for the Sketch Platform (including the Sketch Mac app, Sketch Cloud and Sketch Mirror) available at www.sketch.com.
The terms “personal data”, “special category data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this DPA have the meanings given in the GDPR.
- This DPA relates to the processing of Controller Personal Data by Processor on behalf of Controller in the course of performing Processor’s obligations under the Terms. Further details of such processing are set out in SCHEDULE A – DETAILS OF PROCESSING.
- In the course of performing its obligations under the Terms, Processor shall process Controller Personal Data solely on the instruction of Controller and not use or otherwise process Controller Personal Data for any other purpose, unless required to do so by Applicable Legal Requirements.
- By entering into this DPA, Controller hereby authorises and instructs Processor to process Controller Personal Data: (i) to provide the Service and related technical support; (ii) as otherwise permitted or required by Controller’s use of the Service and/or its requests for technical support; (iii) as otherwise permitted or required by the Terms, including this DPA; and (iv) as further documented in any other written instructions that Controller gives to Processor.
- Processor shall promptly notify Controller if Processor is of the opinion that an instruction given by Controller would cause the Processor to act contrary to Applicable Legal Requirements.
- Controller will not share any special category data with Processor for processing. Controller further acknowledges that Processor does not request or require any special category data to provide the Service and does not wish to receive or store any special category data.
- Controller warrants on an ongoing basis that there is, and will be throughout the term of the Terms, a valid legal basis for the processing of Controller Personal Data by Processor in accordance with this DPA and the Terms (including any and all instructions issued by Controller from time to time in respect of such processing).
Confidentiality of Controller Personal Data
- Processor shall ensure that all of its employees, contractors and other personnel are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in respect of Controller Personal Data.
- Processor shall not disclose Controller Personal Data in any way to any third party who is not an approved Subprocessor without the prior written consent of Controller, except when Processor must comply with Applicable Legal Requirements and is prohibited from obtaining the prior written consent from Controller pursuant to such Applicable Legal Requirements.
Processor shall, taking into account the nature of Controller Personal Data and the risks involved in the processing of Controller Personal Data, implement appropriate technical and organisational measures to protect Controller Personal Data against any accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access (the “Security Measures”). The Security Measures will have regard to the state of the art, the cost of implementation, and the nature, scope, context and purposes of the processing.
Controller agrees that it is solely responsible for its use of the Service, including: (i) making appropriate use of the Service to ensure a level of security appropriate to the risk in relation to Controller Personal Data; (ii) securing any account authentication credentials, systems, and devices it uses to access the Service; and (iii) backing up all Controller Personal Data. Controller understands and agrees that Processor has no obligation to protect Controller Personal Data that Controller elects to store or transfer outside of Processor’s or any Subprocessors’ systems (e.g. offline or on-premise storage). Controller is solely responsible for evaluating whether the Service and Processor’s commitments under this DPA meet its needs, including with respect to Controller’s compliance with any of its security obligations under the GDPR and/or Applicable Legal Requirements.
- Controller authorises Processor to appoint Subprocessors in accordance with this Section.
- Processor may continue to use those Subprocessors already engaged by Processor as at the date of this DPA.
- Processor shall give Controller prior written notice of the appointment of any new Subprocessor, including reasonable details of the processing to be undertaken by the Subprocessor, by updating the list of its Subprocessors at the following address: https://www.sketch.com/subprocessors/. If, within ten (10) days of receipt of that notice, Controller notifies Processor in writing of any objections (on reasonable grounds) to the proposed appointment:
- Processor shall use reasonable efforts to make available a commercially reasonable change in the provision of the Service which avoids the use of the proposed Subprocessor; or
- where such a change cannot be made, either Party may by written notice to the other Party with immediate effect terminate the Terms either in whole or to the extent that it relates to the Service which require the use of the proposed Subprocessor (subject always to the provisions of the Terms).
- With respect to each Subprocessor, Processor shall ensure that the arrangement between Processor and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Controller Personal Data as those set out in this DPA.
- Processor shall remain liable to Controller for the acts and omissions of each Subprocessor in respect of Controller Personal Data.
Data subject rights
- Taking into account the nature of the processing, Processor shall provide Controller with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Controller in fulfilling its obligation to respond to Data Subject Requests.
- Processor shall:
- promptly notify Controller if Processor receives a Data Subject Request; and
- not respond to any Data Subject Request except on the written instructions of Controller (and in such circumstances, at Controller’s cost) or as required by Applicable Legal Requirements.
Data breach notification
- Processor shall promptly notify Controller upon becoming aware that a suspected or actual Data Breach has (or may have) occurred with respect to Controller Personal Data. Such notification shall be provided promptly and without undue delay after the detection of the (suspected) Data Breach.
- Processor shall provide the following information to Controller, to the extent that Processor is reasonably able to provide such information:
- the nature of the Data Breach and affected Data Subject(s);
- the identified and suspected consequences of the Data Breach; and
- the measures Processor has taken, or proposes to take, in order to mitigate the effects of the Data Breach.
- At the request of Controller, Processor will cooperate to inform the competent supervisory authority and/or Data Subject(s) of the Data Breach.
- Controller is solely responsible for complying with any Data Breach notification requirements that may apply to Controller. Processor’s notification of or response to a Data Breach under this Section will not constitute an acknowledgement of fault or liability with respect to the Data Breach.
Data protection impact assessments, prior consultation and audits
- Processor shall provide reasonable assistance to Controller, at Controller’s cost, with any data protection impact assessments and prior consultations with supervisory authorities, in each case solely in relation to the processing of Controller Personal Data by, and taking into account the nature of the processing by and information available to, Processor.
- Processor shall make available to Controller on request such information as Processor (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. In the event that Controller (acting reasonably) is able to provide documentary evidence that the information made available by Processor pursuant to this Paragraph is not sufficient in the circumstances to demonstrate Processor’s compliance with this DPA, Processor shall allow for and contribute to audits, including on premise inspections, by Controller or an auditor mandated by Controller in relation to the processing of Controller Personal Data by Processor.
- Controller shall give Processor reasonable notice of any audit or inspection to be conducted (which shall in no event be less than ten (10) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any damage, injury or disruption to Processor’s premises, equipment, personnel, data and business (including any interference with the confidentiality or security of the data of Processor’s other customers, or the availability of Processor’s services to such other customers).
- Controller shall bear any third party costs in connection with any inspection or audit and reimburse Processor for all costs incurred by Processor in connection with any such inspection or audit.
Restricted transfers of Personal Data
To the extent that any processing by either Processor or any Subprocessor of Controller Personal Data involves a Restricted Transfer, the Parties agree that:
- Controller – as ‘data exporter’; and
- Processor or Subprocessor (as applicable) – as ‘data importer’,
shall enter into the Standard Contractual Clauses in respect of that Restricted Transfer and the associated processing.
In respect of any Standard Contractual Clauses entered into:
- Clause 9 of such Standard Contractual Clauses shall be populated as follows:
“The Clauses shall be governed by the law of the Member State in which the data exporter is established.”
- Clause 11(3) of such Standard Contractual Clauses shall be populated as follows:
“The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.”
- Appendix 1 to such Standard Contractual Clauses shall be populated with the corresponding information set out in SCHEDULE A – DETAILS OF PROCESSING; and
- Appendix 2 to such Standard Contractual Clauses shall be populated as follows:
“The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under the DPA.”
- Clause 9 of such Standard Contractual Clauses shall be populated as follows:
The Standard Contractual Clauses shall be deemed to come into effect automatically upon the commencement of the relevant Restricted Transfer.
Deletion of Controller Personal Data
- Upon the date of cessation of any Service involving the processing of Controller Personal Data, Processor shall immediately cease all processing of Controller Personal Data for any purpose other than for storage.
- Controller hereby acknowledges and agrees that, due to the nature of the Service and Controller Personal Data processed by Processor, return (as opposed to deletion) of Controller Personal Data is not a reasonably practicable option in the circumstances. Having regard to the foregoing, Controller agrees that it is hereby deemed to have irrevocably selected deletion, in preference of return, of Controller Personal Data.
- Processor and any Subprocessor may retain Controller Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Processor and any such Subprocessor shall ensure:
- the confidentiality of such Controller Personal Data; and
- that such Controller Personal Data is only processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
Term and termination
- This DPA shall take effect on the Effective Date.
- This DPA forms an integral part of the Terms and remains in force until the Terms expire or terminate, for whatever reason.
- In the event of any inconsistency relating to the processing of Controller Personal Data between a provision of this DPA and the Terms, the provision of this DPA will prevail.
- If Applicable Legal Requirements require that this DPA be amended, either Party may propose an amendment and the Parties will enter into negotiations in good faith to reach an agreement ensuring the continued compliance of the DPA with Applicable Legal Requirements.
Schedule A – Details of Processing
This Schedule A to the DPA includes certain details of the processing of Controller Personal Data: (i) as required by Article 28(3) GDPR; and (ii) where applicable in accordance with the DPA, to populate Appendix 1 to the Standard Contractual Clauses.
Subject matter and duration of the processing of Controller Personal Data
The subject matter and duration of the processing of Controller Personal Data are set out in the Terms and the DPA.
Nature and purpose of the processing of Controller Personal Data
- Processor will process Controller Personal Data in order to deliver the Service to Controller.
- Processor offers a ‘software-as-a-service’ (SaaS) product to its customers. Further information is available at www.sketch.com.
Types of Controller Personal Data to be processed
- Full name;
- Email address;
- Internet Protocol (IP) address;
- Device information; and
- Any personal data contained in users’ contributions on the Service.
Categories of Data Subjects to whom Controller Personal Data relates
- End users of the Service; and
- End users to whom Controller provide access to the Service (including Controller’s employees and contractors).
Obligations and rights of Controller
The obligations and rights of Controller are set out in the Terms and the DPA.