MOONSHINE FINANCIAL AB
This Data Processing Agreement (the βDPAβ) forms an integral part of the Terms of Service (the βTOSβ) between Moonshine and Customer with regards to the Processing of Personal Data by Moonshine on behalf of Customer. Both parties shall be referred to as the βPartiesβ and each, a βPartyβ.
For the purpose of this Agreement, the following terms shall have the following meaning: βAgreementβ, βMoonshineβ, βCustomerβ, βCustomer Dataβ, the βServicesβ shall have the meaning as defined in the TOS.
βData Protection Lawβ shall mean any data protection law governing Customerβs collection and Moonshine sub-processing of data. This includes the EU General Data Protection Regulation (EU Regulation 2016/679) (βGDPRβ) and the California Consumer Privacy Act (βCCPAβ).
The terms βData Controllerβ, βData Processorβ, βPersonal Data Breachβ, βData Subjectβ, βProcessβ, βProcessingβ and βSellβ shall have the meanings ascribed to them in the Data Protection Law. Where applicable, Data Controller shall be deemed to be a βBusinessβ, Data Processor shall be deemed to be a βService Providerβ, and βData Subjectβ shall be deemed to be a βConsumerβ as these terms are defined under the CCPA.
βPersonal Dataβ means any information, including Personal Information as specified in Data Protection Law, which can be related, describes, or is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual, including as defined under Data Protection Law.
βSecurity Incidentβ means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach will be considered a Security Incident.
βStandard Contractual Clausesβ mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN
βSub Processorβ means any third party engaged by Moonshine to perform parts of the Processing of Customer Data.
With regards to Personal Data Processed as part of the Services, Moonshine is acting as Data Processor on behalf of Customer, acting as the Data Controller. In regard to the CCPA, Customer is the Business and Moonshine the Service Provider.
The subject-matter, nature and purpose of the processing, is to provide the Service. Personal Data processed may include names, salary transactions, benefits and expenses.
The duration of processing shall be for the duration of the Agreement, or as otherwise is set forth in the Agreement.
Moonshine shall process Personal Data only to deliver the Services in accordance with Customers written instructions, the Agreement, documentation relating to the Service and Data Protection Law, unless otherwise required by law in which case Moonshine will inform customer unless that law prohibits such disclosure.
Moonshine shall not:
Notwithstanding other confidentiality obligations agreed upon between the Parties, Moonshine shall ensure that persons authorized to access the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Nothing contained in this Clause shall prevent Moonshine from sharing personal data to the extent such disclosure is mandatory under applicable law.
Moonshine shall take all measures required pursuant to Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Moonshine and Customer shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Customer hereby authorizes Moonshine to engage Sub-Processors for the Processing of Personal Data on Customerβs behalf. A current list of sub-processors is found in ANNEX I. Moonshine shall inform Customer of any intended changes to this list with 30 days written notice, should Customer not object during those 30 days Moonshine may start using such a sub-processor. Should Customer object to such change the Parties will work in good faith to find an alternative solution.
If Moonshine engages such Sub-Processors under this Agreement all its data protection-related obligations shall be imposed on those Sub-Processors (including ensuring they fulfil article 28 of the GDPR) by way of a contract or other legal act, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Processing Law. Where Sub-Processors fail to fulfil their data protection obligations, Moonshine shall remain fully liable to Customer for the performance of that other processorβs obligations and Moonshine shall promptly inform Customer of such failure.
If Moonshine receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under Data Protection Law, Moonshine will promptly notify Customer and ensure that it does not respond to that request except on the documented instructions of Customer or as required by laws to which Moonshine is subject, in which case Moonshine shall to the extent permitted by such laws inform Customer of that legal requirement before replying to the request.
Moonshine shall notify Customer without undue delay upon Moonshine becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Moonshine shall co-operate with Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Moonshine shall, taking into account the nature of the processing, assists Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customerβs obligation to respond to requests for exercising the data subjectβs rights laid down in Data Privacy Law.
Moonshine shall also upon reasonable prior notice give reasonable assistance in compliance with notification obligations of Personal Data breaches to the relevant supervisory authority and communication obligations to data subjects, and other legal compliance requirements, or assessments as part of an audit by a relevant supervisory authority.
Moonshine shall at the choice of Customer, delete or return all the personal data to Customer after the end of the provision of Services relating to processing, and deletes existing copies unless applicable law requires storage of the personal data. Should customer not put any explicit requirements on data removal it will be removed according to system data retention rules and purged automatically.
Moonshine shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
Data originating in the European Economic Area will be Processed in the EU. Data originating in the rest of the world will be Processed in the United States. Data will be transferred into the EU from the US. Moonshine shall only transfer personal data processed on behalf of Customer to a country outside of the European Economic Area provided it is necessary for the purpose of Moonshine carrying out its obligations under the Agreement, or is required under applicable laws. Such transfer shall only occur to a country that has an adequate level of data protection or Moonshine has ensured an adequate level of protection through contractual means such as the Standard Contractual Clauses for data transfers.
In the event of a conflict between the TOS and this DPA, the provisions of this DPA shall prevail.
This DPA supersedes any prior agreements or contracts (whether implied or explicit and whether written or not) between the parties in connection with Processing of Personal Data.
List of subprocessors: