Product
Discover our solution
Use cases
Use Cases
Tour the product
Resources
Company
Join the team
Last revised: September, 2024
MSA(CAN) | SLA
MSA(US)
.docx copy available here
The Customer and Qohash entered into Master Service Agreement (the “MSA“) that may require Qohash to process personal information provided by or collected on behalf of the Customer; and this Personal Information Processing Addendum (the “Addendum“) sets out additional terms, requirements and conditions for collecting, processing, disclosing, transferring or storing Personal Information when Qohash provides Services under the MSA.
1. Definitions and Interpretation
1.1. The following definitions and rules of interpretation apply in this Addendum. Capitalized terms used in this Addendum are defined below and are in addition to the terms defined in the MSA.
“Business Purpose” means the Services described in the MSA or any other purpose specifically identified in writing by Qohash.
“Data Subject” means an individual who is the subject of Personal Information.
“Personal Information” means any information Qohash collects, uses, processes or maintains for the Customer: (i) relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly; or (ii) that the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.
“Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.
“Privacy and Data Protection Requirements” means all applicable federal, state, provincial, and foreign laws and regulations relating to the Processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.
“Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.
“Standard Contractual Clauses (SCC)“ means the European Commission’s Standard Contractual Clauses for the transfer of Personal Information from the European Union to processors established in third countries (Module Two), as set out in the Annex to Commission Decision (EU) 2021/914, a complete copy of which comprises Appendix A.
1.2 This Addendum is subject to the terms of the MSA and is incorporated into the MSA. Interpretations and defined terms in the MSA apply to the interpretation of this Addendum.
1.3 The Appendices form part of this Addendum and will have effect as if set out in full in the body of this Addendum. Any reference to this Addendum includes the Appendices.
1.4 A reference to writing or written includes faxes and email.
1.5 In the case of conflict or ambiguity between:
(a) any provision contained in the body of this Addendum and any provision contained in the Appendices, the provision in the body of this Addendum will prevail;
(b) any of the provisions of this Addendum and the provisions of the MSA, the provisions of this Addendum will prevail; and
(c) any of the provisions of this Addendum and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.
2. Personal Information Types and Processing Purposes
2.1 The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, providing any required notices and obtaining any required consents, and for the Processing instructions it gives to Qohash.
2.2 Qohash Privacy Policy (as available online at qohash.com/privacy) describes the general Personal Information categories and Data Subject types Qohash may Process to fulfill the Business Purposes of the MSA. The Customer discloses Personal Information to Qohash only for the limited and specified Business Purposes.
3. Qohash’s Obligations
3.1 Qohash will only Process the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s instructions. Qohash will not Process the Personal Information for any other purpose or in a way that does not comply with this Addendum or the Privacy and Data Protection Requirements. Qohash must promptly notify the Customer if, in its opinion, the Customer’s instructions will not comply with the Privacy and Data Protection Requirements.
3.2 Qohash must promptly comply with any Customer request or instruction requiring Qohash to amend, transfer, or delete the Personal Information, or to stop, mitigate or remedy any unauthorized Processing.
3.3 Qohash will maintain the confidentiality of all Personal Information and will not disclose Personal Information to third parties unless the Customer (including though its consent to Qohah’s privacy policy) or this Addendum specifically authorizes the disclosure in compliance with Privacy and Data Protection Requirements, or as otherwise required by law. If a law requires Qohash to Process or disclose Personal Information outside of the consent given, Qohash must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.4 Qohash will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, considering the nature of Qohash’s Processing and the information available to Qohash.
3.5 Qohash must promptly notify the Customer of any changes to Privacy and Data Protection Requirements that may adversely affect Qohash’s performance of the MSA.
3.6 The Customer acknowledges that Qohash is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions or the Personal Information other than as required under the Privacy and Data Protection Requirements.
3.7 Qohash will only collect Personal Information for the Customer pursuant to its Privacy Policy that the Customer acknowledges having read, understood and accepted, which contains a data privacy notice informing the Data Subject of the Qohash’s identity and its appointed data protection representative, the purpose or purposes for which their Personal Information will be Processed and any other information that is required by applicable Privacy and Data Protection Requirements. Customer undertakes to review any changes made to this Privacy policy and take any relevant actions.
3.8 Qohash is responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements.
4. Qohash’s Employees
4.1 Qohash will limit Personal Information access to:
(a) those employees who require Personal Information access to meet Qohash’s obligations under this Addendum and the MSA; and
(b) the part or parts of the Personal Information that those employees strictly require for the performance of their duties.
4.2 Qohash will ensure that all employees:
(a) are informed of the Personal Information’s confidential nature and use restrictions;
(b) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and
(c) are aware both of Qohash’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this Addendum.
4.3 Qohash will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of Qohash’s employees with access to the Personal Information.
5. Security
5.1 Qohash must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful Processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction or damage. Qohash will document those measures in writing and periodically review them, at least annually, to ensure they remain current and complete.
5.2 Qohash will notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the Parties should adjust their security measures.
5.3 Qohash must take reasonable precautions to preserve the integrity of any Personal Information it Processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures in compliance with Privacy and Data Protection Requirements or other applicable laws.
6. Security Breaches and Personal Information Loss
6.1 Qohash will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. Qohash will restore such Personal Information at its own expense.
6.2 Qohash will within thirty-six hours after it becomes aware of it, notify the Customer if it becomes aware of:
(a) any unauthorized or unlawful Processing of the Personal Information; or
(b) any Security Breach.
6.3 Immediately following any unauthorized or unlawful Personal Information Processing or Security Breach, the Parties will co-ordinate with each other to investigate the matter. Qohash will reasonably co-operate with the Customer in the Customer’s handling of the matter, including:
(a) assisting with any investigation; and
(b) making available all available records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer, unless Qohash’s reasonably determine that sharing such records, logs, files, data reporting, and other materials may present a risk or otherwise disclose the information of another third party.
6.4 Qohash will not inform any third party of any Security Breach without first obtaining the Customer’s prior written consent, except when Privacy and Data Protection Requirements, or other laws or regulations, require it.
6.5 Subject to the terms of Section 6.4, Qohash agrees that the Customer has the sole right to determine:
(a) whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies or others, as required by Privacy and Data Protection Requirements or other laws or regulations, or at the Customer’s discretion, including the contents and delivery method of the notice; and
(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
6.6 Qohash will maintain records of any Security Breach in accordance with Privacy and Data Protection Requirements.
7. Cross-Border Personal Information Transfers
7.1 If the Privacy and Data Protection Requirements restrict cross-border Personal Information transfers, the Customer will only transfer Personal Information to Qohash under the following conditions:
(a) Qohash, either through its location or participation in a valid cross-border transfer mechanism under the Privacy and Data Protection Requirements, may legally receive that Personal Information, however, Qohash must immediately inform the Customer of any change to that status;
(b) the Customer obtained valid Data Subject consent to the transfer under the Privacy and Data Protection Requirements; or
(c) the transfer otherwise complies with the Privacy and Data Protection Requirements.
7.2 If any Personal Information transfer between Qohash and the Customer requires execution of Standard Contractual Clauses to comply with the Privacy and Data Protection Requirements, the Parties will complete all relevant details in, and execute, the Standard Contractual Clauses, and take all other actions required to legitimize the transfer, including, if necessary:
(a) co-operating to register the Standard Contractual Clauses with any supervisory authority in any European Economic Area country;
(b) procuring approval from any such supervisory authority; or
(c) providing additional information about the transfer to such supervisory authority.
7.3 Qohash will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements.
8. Subcontractors
8.1 Qohash may only authorize a third party (subcontractor) to Process the Personal Information if:
(a) the Customer provides prior written consent to such sub Processing as provided in the Privacy policy;
(b) Qohash enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Addendum; and
(c) Qohash maintains control over all Personal Information it entrusts to the subcontractor
8.2 Where the subcontractor fails to fulfill its obligations under such written agreement, Qohash remains fully liable to the Customer for the subcontractor’s performance of its agreement obligations.
8.3 Qohash is deemed to control any Personal Information that is controlled by or in the possession of its subcontractors.
9. Complaints, Data-Subject Requests and Third-Party Rights
9.1 Qohash must notify the Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information Processing or to either Party’s compliance with the Privacy and Data Protection Requirements, when the Client is the “controller”.
9.2 Qohash must notify the Customer within five working days if it receives a request from a Data Subject for access to their Personal Information or a request to correct, delete, or withdraw its consent from any use by Customer or Qohash of same.
9.3 Qohash will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.
9.4 Qohash must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer’s request or instruction, permitted by this Addendum, or is otherwise required by law .
10. Term and Termination
10.1 This Addendum will remain in full force and effect until the later of the following:
(a) the MSA remains in effect; or
(b) Qohash retains any Personal Information related to the MSA in its possession or control (the “Term“).
10.2 Any provision of this Addendum that expressly or by implication should come into or continue in force on or after termination of the MSA to protect Personal Information will remain in full force and effect.
10.3 Qohash’s failure to comply with the terms of this Addendum is a material breach of the MSA. In such event, the Customer may send a prior notice informing Qohash of such a breach and if Qohash has not corrected such breach within thirty days after the receipt of this prior notice, Customer may terminate the MSA effective immediately upon written notice to Qohash without further liability or obligation.
10.4 If a change in any Privacy and Data Protection Requirement prevents either Party from fulfilling all or part of its MSA obligations, the Parties will suspend the Processing of Personal Information until that Processing complies with the new requirements. If the Parties are unable to bring the Personal Information Processing into compliance with the Privacy and Data Protection Requirement within sixty days, they may terminate the MSA upon written notice to the other Party.
11. Data Return and Destruction
11.1 At the Customer’s request, Qohash will give the Customer a copy of or access to all or part of the Customer’s Personal Information in its possession or control in the format reasonably specified by the Customer.
11.2 On termination of the MSA for any reason or expiration of its term, Qohash will securely destroy, anonymize pursuant to applicable Privacy and Data Protection Requirement or, if directed in writing by the Customer, return and not retain (except for Personal Information that has been anonymized and is not Personal Information anymore), all or any Personal Information related to this Addendum in its possession or control, except for one copy that it may retain and use for audit purposes only.
11.3 If any law, regulation, or government or regulatory body requires Qohash to retain any documents or materials that Qohash would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, and establishing a specific timeline for destruction once the retention requirement ends. Qohash may only use this retained Personal Information for the required retention reason or audit purposes.
12. Records
12.1 Qohash will keep detailed, accurate, and up-to-date records regarding any Personal Information Processing it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the Processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).
13. Audit
13.1 Upon the Customer’s written request, Qohash will make all of the relevant audit reports available to the Customer for review. The Customer will treat such audit reports as Qohash’s Confidential Information under the MSA.
13.2 Qohash will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by Qohash’s management.
14. Representations and Warranties
14.1 Qohash represents and warrants that:
(a) It and its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements;
(b) It and anyone operating on its behalf will Process the Personal Information in compliance with both the terms of this Addendum and all applicable Privacy and Data Protection Requirements and any other applicable laws, enactments, regulations, codes, orders, standards, and other similar instruments;
(c) It has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the MSA’s contracted services or the services hereunder; and
(d) Considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful Processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:
(i) The harm that might result from such unauthorized or unlawful Processing or accidental loss, destruction, or damage;
(ii) The nature of the Personal Information protected; and
(iii) Comply with all applicable Privacy and Data Protection Requirements and its information and security policies, including the security measures required in 5.1.
14.2 The Customer represents and warrants that Qohash’s expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer under this Addendum will comply with all Privacy and Data Protection Requirements.