Data Processing Agreement

Last updated: December 2024

This Data Processing Agreement ("DPA") forms part of the Terms of Use between you ("Customer", "Controller") and Hypersequent DMCC ("Hypersequent", "Company", "Processor") and governs the processing of personal data that the Customer transmits or otherwise provides to Hypersequent for the purposes of and in connection with the QA Sphere services.

This DPA shall remain in force until the termination or expiration of the service agreement between Parties and until all personal data has been returned or deleted in accordance with the provisions of this DPA.

1. Definitions

"Standard Contractual Clauses" or "SCCs" means Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

"General Data Protection Regulation" or "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"Personal Data Protection Law" or "PDPL" means the UAE's Federal Decree by Law No. (45) of 2021 Concerning the Protection of Personal Data.

"Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given in the GDPR, the PDPL and Other Data Protection Laws and Regulations.

"Customer Data" means personal data that the Customer acting as a data controller provides to the Company acting as a data processor in connection with the services provided by the Company.

"Other Data Protection Laws and Regulations" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, the United Arab Emirates, the United Kingdom, the United States and its states, applicable to the processing of personal data.

"Sub-processor" means any contractor or entity which provides processing services to the Company in furtherance of the Company's processing on behalf of the Customer.

"Public Authority" means a government agency or law enforcement authority, including judicial authorities.

"Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection legislation.

2. Roles

With regard to the data processing under this DPA, Customer shall act as a data controller, and Hypersequent shall act as a data processor under the GDPR, the PDPL, and Other Data Protection Laws and Regulations.

3. Instructions

The Parties agree that this DPA and the Terms of Use constitute theCustomer's complete and final documented instructions regarding the processing by Hypersequent of the Customer Data on the Customer's behalf (the "Instructions"). Any additional or alternate instructions must be consistent with the terms and conditions of this DPA and the Terms of Use.

4. Obligations

4.1. Hypersequent's Obligations

4.1.1. General Obligations

With regard to the processing of the Customer Data, Hypersequent shall:

• process the Customer Data only for established purposes, using appropriate technical and organisational security measures, and in compliance with the instructions received from the Customer;
• inform the Customer if Hypersequent cannot comply with its obligations under this DPA, in which case the Customer may terminate the service agreement or take any other reasonable actions;
• inform the Customer if, at Hypersequent's discretion, the Customer's Instruction may be in violation of the provisions of the GDPR, the PDPL or Other Data Protection Laws and Regulations;
• take reasonable steps to ensure that any Sub-processor to whom Hypersequent authorises access to the Customer Data complies with respective provisions of the Terms of Use and this DPA;
• keep records of processing activities carried out on behalf of the Customer under this DPA;
• make available to the Customer all information necessary to demonstrate compliance with Hypersequent's obligations under this DPA, the GDPR, the PDPL and Other Data Protection Laws and Regulations.

4.1.2. Notices to the Customer

Upon becoming aware, Hypersequent shall inform the Customer of any legally binding request for disclosure of the Customer Data by a Public Authority unless Hypersequent is otherwise forbidden by law to inform the Customer. Hypersequent will inform the Customer if it becomes aware of any notice, inquiry, or investigation by a Supervisory Authority with respect to the processing of the Customer Data.

4.1.3. Security Measures

Hypersequent shall implement and maintain appropriate technical and organisational measures to protect the Customer Data from personal data breaches (the "Security Incidents") in accordance withHypersequent's security standards set out in Schedule 2 of this DPA. The Customer acknowledges that security measures are subject to technical progress so that Hypersequent may modify or update Schedule 2 at its discretion, provided that such modification does not result in a material degradation in the security measures.

4.1.4. Security Incident

Upon becoming aware of a Security Incident, Hypersequent shall:

• notify the Customer without undue delay after it becomes aware of the Security Incident;
• provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by the Customer;
• promptly take reasonable steps to contain and investigate any Security Incident.

4.1.5. Confidentiality

Hypersequent will not access, use, or disclose to any third party any Customer Data, except as necessary to maintain or provide the services or as necessary to comply with contractual and legal obligations. Hypersequent shall ensure that any employee or contractor to whom it authorises access to the Customer Data is subject to appropriate confidentiality obligations.

4.1.6. Return or Deletion of Customer Data

At the choice of the Customer, Hypersequent shall delete or return all personal data relating to processing to the Customer after the end of the provision of services and delete existing copies unless Union or Member State law requires the storage of the personal data.

4.1.7. Reasonable Assistance

Hypersequent agreed to provide reasonable assistance to the Customer regarding:

• any request from a data subject in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of the Customer Data;
• the investigation of Security Incidents and communication of necessary notifications;
• preparation of data protection impact assessments and, where necessary, consultation with the Supervisory Authority.

4.1.8. Audit

The Customer may, prior to the commencement of processing and at regular intervals after that, audit the technical and organisational measures taken by the Company. Upon reasonable and timely advance agreement, during regular business hours and without interruption to the Company's business operations, the Company may provide the Customer with all information necessary to demonstrate compliance with its obligations and allow for audits conducted by the Customer or another auditor mandated by the Customer.

4.2. Customer's Obligations

Within the scope of the DPA, the Customer acts as a data controller and shall be responsible for complying with all requirements that apply to the Customer as a data controller under the GDPR and Other Data Protection Laws and Regulations. The Customer represents and warrants that the Customer shall be responsible for:

• the accuracy, quality, integrity, confidentiality and security of collected Customer Data;
• complying with all necessary transparency, lawfulness, fairness and other requirements under GDPR for the collection and use of personal data;
• ensuring that the Customer's Instructions to Hypersequent regarding the processing of the Customer Data comply with the GDPR and Other Data Protection Laws and Regulations.

5. Data Subject Request

In the event that a data subject contacts Hypersequent with regard to the exercise of their rights under the GDPR, the PDPL and Other Data Protection Laws and Regulations, Hypersequent shall notify the Customer of such request. Hypersequent will use all reasonable efforts to forward such requests to the Customer.

6. Sub-processors

The Customer agrees that Hypersequent may engage sub-processors in accordance with provisions set out in Clause 9 of EU SCCs to assist in fulfilling Hypersequent's obligations. Hypersequent agrees to inform the Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Customer the opportunity to object to such changes.

The current list of sub-processors is available at qasphere.com/policies/subprocessors.

7. Data Transfers

7.1. Transfers of Customer Data

Parties agree that when the processing of the Customer Data constitutes a transfer from the Customer as a data controller to Hypersequent as a data processor under the GDPR, the PDPL and Other Data Protection Laws and Regulations and appropriate safeguards are required, such processing will be subject to the Standard Contractual Clauses which are deemed to be incorporated into and form part of this DPA. If and to the extent the EU SCCs conflict with any provision of the DPA, the EU SCCs shall prevail.

7.2. Transfers under the GDPR

When the processing of the Customer Data constitutes a "transfer" under the GDPR, Standard Contractual Clauses shall apply. When the Customer acts as a controller, and Hypersequent acts as a data processor, Module Two of the EU SCCs shall apply.

The relevant provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA:

• in Clause 7, the optional docking clause shall not apply;
• in Clause 9, Option 2 (General Written Authorisation) shall apply. The time period for informing the data exporter in advance of any intended changes to the sub-processors list shall be 10 days;
• in Clause 11, the optional provision shall not apply;
• in Clause 13, Option 1 shall apply;
• in Clause 17, Option 2 shall apply. The Parties agree that this shall be the law of Ireland;
• in Clause 18(b), disputes shall be resolved by the courts of Ireland.

7.3. Transfers under the PDPL

Under the PDPL, when the processing of the Customer Data constitutes a "transfer", this DPA shall apply as an agreement between the Customer as a data controller and Hypersequent as a data processor under Article 8(1) of the PDPL.

8. Applicable Law and Dispute Resolution

The law applicable to this DPA is the law specified in the Terms of Use unless otherwise required by the GDPR or Other Data Protection Laws and Regulations.

Schedule 1: Description of Processing

A. Categories of Data Subjects

• Customer's employees, contractors, team members and other individuals carrying out software testing operations for the Customer;
• Other data subjects whose personal data is provided by the Customer.

B. Categories of Personal Data

• Customer Data: information about the Customer's employees, contractors, team members, and other individuals carrying out software testing operations for the Customer, such as name, contact details, and email;
• Other personal data, the transfer and processing of which is agreed upon under the Terms of Use.

C. Sensitive Data

The data importer does not obtain access to the special categories of data (sensitive data). The data importer takes technical and organisational measures to protect personal data, including sensitive personal data, if any is transferred.

D. Frequency of Transfer

The personal data is transferred on a continuous basis.

E. Nature of Processing

Personal data processing consists of the following: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

F. Purpose of Processing

The main purpose of the data transfer and further processing is to provide the QA Sphere services by Hypersequent to the Customer and fulfil Hypersequent's obligations under the Terms of Use.

G. Retention Period

The personal data shall be stored for the duration of this DPA unless otherwise agreed in writing or Hypersequent is required by applicable law to retain some or all of the transferred personal data.

H. Competent Supervisory Authority

In accordance with Clause 13, the competent supervisory authority is the Irish Data Protection Commission.

Schedule 2: Technical and Organisational Measures

Description of the technical and organisational measures implemented by Hypersequent to ensure an appropriate level of security:

• Hypersequent is committed to maintaining the confidentiality, integrity, availability, and resilience of all personal data during its processing activities. It ensures the protection of personal data from loss and destruction by implementing appropriate internal information security policies and procedures.
• Hypersequent employs differentiated data access levels and implements access control measures. The personal data is subject to a strictly need-to-know access principle and can be displayed to the authorised team members only.
• Hypersequent has taken steps to ensure physical security at locations where personal data is processed.
• All servers and workstations have proper security configurations and are continuously checked for vulnerabilities. Any vulnerabilities identified are addressed accordingly.
• Hypersequent's security procedures are subject to regular reviews.
• Hypersequent has implemented encryption and other security measures (hashing) when storing data.
• The transfer of personal data to Hypersequent's Sub-processors is only made if a corresponding contract exists and only for specific purposes that correspond with this DPA and Terms of Use. If personal data is transferred outside the EEA, Hypersequent ensures that an adequate level of data protection exists at the target location in accordance with European Union's data protection requirements.

For more information about our security practices, please visit our Security & Compliance page.

Related Documents

• List of Sub-processors
• Privacy Policy
• Terms of Use