Data Processing Agreement
This Data Processing Agreement (“DPA”), effective as of December 21, 2023 by and between Client (“Data Controller” or “Client”) and Eton Solutions, L.P. (“Data Processor” or “Eton”) sets forth the terms and conditions relating to the privacy, confidentiality, security and protection of Personal Data (as defined below) associated with services rendered by, and/or products provided by, Processor to Controller (and/or its Affiliates) pursuant to any agreement between Eton and Client (and/or its Affiliates), regardless of whether such agreement exist as of or after the Effective Date (such agreement as applicable, the “Services Agreement”), which, together with this DPA, the “Agreement”).
“Affiliates” means any entity that now or in the future directly or indirectly controls, is controlled by, or is under common control or ownership for as long as such control exists, where “control” (including the terms “controlled by” and “under common control with”) means the possession, directly or indirectly, of the power to direct, influence or cause the direction of the management policies of an entity, whether through the ownership of voting securities, by contract, or otherwise.
“Aggregate” means to combine information that relates to a group or category of individuals, from which individual identities have been removed, that is not linked or reasonably linkable to any individual or household, including via a device.
“Anonymization” shall have the meaning ascribed to it in the GDPR and shall also include “Deidentify” as defined in the CCPA and CPRA.
“CCPA” means the California Consumer Privacy Act of 2018, and its implementing regulations. “CPRA” means the California Privacy Rights Act of 2020, and its implementing regulations.
“Client Personal Data” means Personal Data Processed by the Eton as a Processor on behalf of Client or its Affiliate pursuant to the Services Agreement.
“Controller-to-Processor SCCs” means the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010, as they may be amended or replaced from time to time.
"Data Controller" means the entity which determines the purposes and means of Processing Personal Data.
"Data Processor" means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Protection Laws” means, as applicable to the parties, all applicable data protection laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality, security or protection of Personal Data, and shall include the GDPR, the PDPA, the CCPA and the CPRA,
“Data Subject” means an identified or identifiable natural person to which the Personal Data pertains.
“Europe” or the “EU” means the European Economic Area plus Switzerland and the UK.
“GDPR” means collectively the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 as amended or replaced from time to time, and the UK Data Protection Act of 2018 (“UK GDPR” as it forms part of retained EU law (as defined in the European Union (Withdrawal) Act 2018)).
“PDPA” means the Personal Data Protection Act of 2012.
"Personal Data" means any data, information or record that is Processed in connection with the Services Agreement (i) relating to an identified or identifiable natural person, or (ii) that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, regardless of the media in which it is maintained.
“Personal Data Breach” means the (1) breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Client Personal Data Processed under the Services Agreement, or (2) similar incident involving Client Personal Data.
"Process," "Processing" or "Processed" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Sell” shall have the meaning ascribed to it in the CCPA.
"Sensitive Personal Data" means shall have the meaning as ascribed in GDPR, PDPA and CPRA.
“Standard Contractual Clauses” or “SCCs” means, as applicable, the Controller-to-Processor SCCs entered into between the parties.
“Supervisory Authority” means a government regulator or enforcement authority which has regulatory or enforcement authority with respect to the privacy, confidentiality, security or protection of Personal Data.
2. Nature of Data Processing
2.1 Processing Limitations. Eton will only Process Client Personal Data and Sensitive Personal Data in accordance with the processing schedule set out in Appendix 1 (Section A), on behalf of and in accordance with Client’s written instructions as set forth in, or pursuant to, the Services Agreement. Eton will treat Client Personal Data as confidential information and impose confidentiality obligations on all personnel who Process Client Personal Data. Eton will neither (i) Sell Client Personal Data or Sensitive Personal data; nor (ii) retain, use or disclose Client Personal Data (a) for any purpose other than for the specific purposes of performing under the Agreement, or (b) outside of the direct business relationship between Eton and Client (and its Affiliates).
If applicable law requires Eton (or, for avoidance of doubt, any sub-processor) to conduct Processing that is or could be construed as inconsistent with Client’s instructions, Eton will promptly notify Client of such inconsistency prior to commencing (or continuing) the Processing, unless notification is prohibited by law.
2.2 Role of the Parties. As between Eton and Client (and its Affiliates), Client (or its Affiliate) is the Data Controller of Client Personal Data, and Eton is the Data Processor, which Processes Client Personal Data on Client's (or its Affiliate’s) behalf and will have no ownership rights or interest in Client Personal Data. The Parties acknowledge and agree that (i) the Client Personal Data, that Client or its Affiliate discloses to Eton is provided to Eton for a business purpose, and Client does not Sell Personal Data to Eton in connection with the Agreement; and (ii) during the time the Client Personal Data and Sensitive Personal Data are Processed by Eton, Client (or its Affiliate) has no knowledge or reason to believe that Eton is unable to comply with the provisions of this DPA inform the Client (or its Affiliate) if they are unable to provide the services.
2.3 Anonymize or Aggregate Data. Eton may not Anonymize Client Personal Data and Sensitive Personal Data as part of its performance under the Services Agreement or for any other purpose, unless it receives Client’s prior written consent for such activities. If such consent is provided by Client, such Anonymization or Aggregation, as the case may be, can be performed only to the extent such activity meets the applicable standard required under the applicable Data Protection Laws. Eton may aggregate Client Personal Data and Sensitive Data as part of its performance under the Services Agreement to show statistics of performance of financial data.
3. Compliance with Applicable Law
Parties shall comply with Data Protection Laws. This DPA is not meant to reduce the level of protections applicable to each Data Subject. If there is any conflict between the DPA and the Services Agreement, the terms of the DPA shall prevail. If there is any conflict between this DPA and Data Protection Laws, the provision(s) of the applicable Data Protection Laws will govern. Pursuant to Section 5 below, Eton will comply with industry standards and requirements that apply to Eton and relate to the privacy, confidentiality, security, protection or electronic storage of Client Personal Data. If Eton believes any instruction from Client is in violation of, or would result in Processing in violation of, applicable law, Eton will immediately notify Client.
4.1 Appointment of Sub-Processors. Eton will not subcontract any of its rights or obligations under the Agreement without Client’s prior written consent. Unless otherwise agreed upon in the Services Agreement, Client hereby consents to Eton’s use of its Affiliates as sub-processors and any other third parties as sub-processors if such third parties are specifically identified in the Services Agreement (including any applicable statement of work or order form). Eton shall provide Client with written notice of any intended changes to the authorized sub-processors and Client shall promptly notify Eton in writing of any objection to such changes which is reasonable and related to data protection. Where Eton, with the consent of Client which such consent will not be withheld except due to an objection as described above, subcontracts its obligations under the Services Agreement to a sub-processor that has been deemed capable of safeguarding Client Personal Data, Eton will only do so by way of a written agreement with such sub-processor that imposes privacy, confidentiality, security and data protection obligations on the sub- processor at least equivalent to those that are set out in this DPA, including the obligation to impose these obligations on any further sub-processor.
4.2 Liability. Eton will remain liable to Client for (i) its obligations under the Agreement even if such obligations are delegated to a sub-processor, including the proper and timely performance of services, and (ii) the acts or omissions of any person or entity to which Eton delegates any such obligation.
5.1 Security Program. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Eton will maintain or cause to be maintained a reasonable and appropriate information security program that complies with Data Protection Laws and is designed to reasonably ensure the confidentiality, integrity, availability and resilience of all Client Personal Data.
5.2 Security Measures. Eton shall maintain reasonable and appropriate administrative, physical, technical (including electronic), and organizational security measures including, as appropriate: (i) encryption and pseudonymization; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of those measures. Eton represents and warrants it has implemented the administrative, physical, technical and organizational security measures described in the attached Appendix 2 to protect Client Personal Data. Eton agrees to store Client Personal Data pursuant to the Services Agreement in the United States and further acknowledges that it shall not combine the Personal Data with the Personal Data of its Affiliates.
5.3 Access to Client Personal Data. Eton will ensure that Client Personal Data is only available to Eton personnel who have a legitimate business need to access the Client Personal Data, who are bound by legally enforceable confidentiality obligations, who have received training on applicable data protection policies and procedures, and who will only Process Client Personal Data in accordance with Client's instructions. If Eton is unable to Process pursuant to Client instructions during the course of Processing Client Personal Data, Eton will promptly inform the Client.
5.4 Personal Data Breach Response and Notification. Eton will promptly within 72 hours and, without undue delay, notify Client of any Personal Data breach of which Eton becomes aware sending written notice via email Eton will provide further notice as available which will summarize in reasonable detail the nature of the Personal Data Breach, including the categories and approximate numbers of Data Subjects affected; whether the Client Personal Data is lost, stolen or compromised, if known; Eton’s appraisal of the consequences of the Personal Data breach; the corrective action taken or to be taken by Eton; any internal point(s) of contact responsible for managing or responding to the breach; and Eton’s Data Protection Officer or equivalent under applicable Data Protection Laws, if any. Eton will promptly take all necessary and advisable corrective actions and will cooperate fully with Client in all reasonable and lawful efforts to prevent, mitigate, or rectify such Personal Data breach. If according to the Client’s assessment, a Personal Data breach affecting Client Personal Data should be disclosed or reported to a third party, including Data Subjects, Supervisory Authorities or governmental authorities, Eton will fully cooperate with and assist Client in such reporting or disclosure within 72 hours.
Eton will make available to Client all information necessary to demonstrate compliance with the obligations of this DPA. Client will have the right to verify compliance by Eton and any sub-processor with the terms of this DPA with respect to the Processing of Client Personal Data or to appoint a third-party auditor (non-competitor of Eton) under reasonable obligations of confidentiality to verify the same on Client's behalf. Eton will grant Client, or its agents, access to the extent necessary to accomplish the inspection and review of all data processing facilities, data files and other documentation in relation to the Processing of Client Personal Data per the Agreement. Eton agrees to provide reasonable assistance to Client in facilitating this inspection function. Client will provide Eton 30 days prior written notice of the intent to audit and will not make such a request more than once a calendar year (unless there has been a Personal Data Breach affecting Client Personal Data). In the event Eton does not have the right to audit (or enforce Client’s right to audit) any sub-processor, Eton shall instead make available for Client’s review copies of certifications or reports demonstrating such sub-processor’s compliance with prevailing data security standards applicable to the Processing of Client Personal Data. Notwithstanding any contrary provision in this DPA, the parties agree that the audits described in the applicable Controller-to-Processor SCCs shall be carried out in accordance with this Section.
7. Eton’s Cooperation Obligation
7.1 Cooperation. Eton will provide reasonable assistance to Client with (i) responding to Data Subjects’ requests to exercise their rights under Data Protection Laws; (ii) assistance with Client’s performance of a data protection impact assessment with respect to the Processing of Client Personal Data under this DPA; and (iii) requests or investigations of Client by a Supervisory Authority with respect to the Processing of Client’s Personal Data under the Agreement. Eton has the right to charge a reasonable fee for fulfilling its obligations under this Section as well as reimbursement for all costs and expenses incurred.
7.2 Third Party Access Requests and Complaints. Eton will promptly notify within 72 hours the Client of any request or complaint from any Supervisory Authority, government official, Data Subject or any other third party relating to Client Personal Data or Client’s obligations under Data Protection Laws. Eton will notify Client of any warrant, subpoena, or other similar request to Eton regarding any Client Personal Data no later than five (5) business days following receipt, unless prohibited by applicable law. Eton will comply with any retention requests from Client regarding Client Personal Data and will provide required support so that Client can comply with third party requests if Client cannot otherwise reasonably obtain such information.
8. Data Retention, Return and Deletion
8.1 Retention. Eton will not retain Client Personal Data any longer than is reasonably necessary to accomplish the intended purposes for which the Client Personal Data was Processed pursuant to the Agreement.
8.2 Return and Deletion. When Client Personal Data is no longer necessary for the purposes set forth in the applicable Services Agreement or promptly upon the expiration or termination of the Agreement, whichever is earlier, or at an earlier time as Client requests in writing, Eton will (i) return to Client, in the format and on the media requested by Client, all or, if specified by Client, any part of the Client Personal Data; and (ii) destroy all, or if specified by the Client, any part of the Client Personal Data in Eton’s possession or control; provided that: (a) in the event Client requests such return or destruction, to the extent Eton is precluded from or delayed in fulfilling its obligations under the Services Agreement without such Client Personal Data, such failure or delay shall not constitute a breach of those obligations; and (b) copies of such Client Personal Data may be retained to the extent they are electronically stored pursuant to Eton’s ordinary course back-up procedures (including, without limitation, those regarding electronic communication) so long as such Client Personal Data is kept confidential as otherwise required under this DPA. The foregoing obligations will also apply to Client Personal Data held by sub-processors to the extent permitted by Eton’s agreement with such sub-processors. Eton will provide a certification of destruction if requested. If applicable law does not permit Eton to comply with the return or destruction of Client Personal Data, Eton agrees such retained Client Personal Data shall remain with Eton’s possession subject to the terms of this DPA and shall return or destroy such Client Personal Data when permitted by applicable law.
9. International Data Transfers
9.1 Transfer Mechanism. If the services and/or products provided by Eton under the Services Agreement involve an international transfer of Client Personal Data governed by Data Protection Laws, such transfer shall only occur if (as applicable): (i) the country or territory to which the transfer is to be made is within the European Economic Area or Switzerland; (ii) the European Commission or applicable Supervisory Authority has deemed the country or territory to which the data is being transferred as adequate for data protection purposes; or (iii) Eton can provide appropriate safeguards in accordance with applicable Data Protection Laws. Such appropriate safeguards may include, but are not limited to, having in place Binding Corporate Rules, by Processing in a manner consistent with the APEC Cross Border Privacy Rules System, or by adhering to a certification mechanism, a contractual mechanism or code of conduct which has been approved by the applicable Supervisory Authority.
9.2 Standard Contractual Clauses. If none of the foregoing mechanisms in Section 9.1 apply to the transfer of Personal Data out of Europe, then the transfer of Client Personal Data will be subject to the unchanged EU-version of the applicable Controller-to-Processor SCCs respectively. The SCCs shall be deemed incorporated by reference herein (a signature to this DPA is deemed a signature to the applicable SCCs). For the purposes of the SCCs: (i) Client shall be regarded as the data exporter and Eton shall be regarded as data importer. Any references to Directive 95/46/EC in the SCCs will be read as references to appropriate provisions of GDPR, the UK Data Protection Act 2018 or the Swiss Federal Data Protection Act 1992, where possible and as applicable. Nothing in this DPA shall be construed to prevail over any conflicting clause of the SCCs unless a provision within this DPA provides for additional safeguards over and above those contained in the conflicting clause in the SCCs in which case the provision of this DPA shall be deemed to supplement and be in additional to and not in conflict with such SCC clause. Eton acknowledges it has had the opportunity to review the applicable SCCs.
9.3 Controller-to-Processor SCCS. For the purposes of the Controller-to-Processor SCCs: (i) the governing law in clause 9 shall be the law of the jurisdiction in which the data exporter is located; (ii) the Illustrative Indemnification Clause in the Controller-to-Processor SCCs will be deemed not to apply by virtue of this Section; and (iii) unless otherwise agreed to by the parties, Appendices 1 (Section A) and 2 of this DPA shall apply and be deemed to be Appendices 1 and 2 of the Controller-to-Processor SCCs.
9.4 Alternative Data Transfer Mechanisms. Transfer mechanisms, other than those outlined in Section 9.1 - 9.3 above that are approved under Data Protection Laws can be relied upon if applicable. The parties agree to use reasonable efforts to put these alternative mechanisms in place, where required, and to amend this DPA as necessary to ensure compliant transfer mechanisms should there be a change in Data Protection Law. In particular, if the SCCs are amended, replaced, or repealed by the European Commission or under Data Protection Laws, the parties will work together in good faith to enter into any updated version of the SCCs or negotiate in good faith a solution to enable an international transfer of Personal Data to be conducted in compliance Data Protection Laws.
9.5 International Transfer of Client Personal Data from Eton to Third Parties. Eton will not transfer Client Personal Data, internally or to sub-processors, from any jurisdiction that restricts the international transfer of Personal Data to areas outside that jurisdiction without prior approval of Client and only after taking steps, on an ongoing basis, to ensure such transfer complies with Data Protection Laws. If Eton discovers or reasonably believes any Client Personal Data has been or is being Processed in a jurisdiction without the implementation of a necessary data transfer agreement, Eton will promptly put such transfer agreement and provide prompt notice to Client.
9.6 Transfer of personal data outside Singapore: Eton will not transfer Client Personal Data to a place outside Singapore without the Client’s prior written consent. The Client provides consent, Eton will provide a written undertaking to the Client that the Client Personal Data transferred outside Singapore will be protected at a standard that is comparable to that under the PDPA. If Eton transfers Client Personal Data to any third party or sub-processor, then Eton shall procure the same written undertaking from such third party or sub-processor.
9.7 International Transfer Assessments. Eton will conduct and maintain throughout the term of the DPA an international data transfer assessment that demonstrates its compliance with the terms of this DPA, and if applicable the SCCs, in relation to the specific Processing operations, including by its Affiliates and sub-processors, Data Subject(s) and Client Personal Data categories Processed under this DPA, and will make such assessment available to Client upon request. Eton confirms that it will monitor at all times its ability to carry out international transfers of Client Personal Data and maintain its international data transfer assessment. Eton will cooperate with and provide reasonable assistance to Client in relation to providing such assessment to a Supervisory Authority.
9.8 Costs related to International Transfers of Personal Data to Third Countries. Except as otherwise provided, each party shall bear the costs caused by any actions or measures taken by it under this Section.
10.1 Standard of Protection. This DPA supersedes any provision in the Services Agreement to the extent such provision relates to the privacy, confidentiality, security or protection of Personal Data; provided, however, that in the event of any conflict between this DPA and the Services Agreement, Eton will comply with the obligations that provide the most protection for Client Personal Data.
10.2 Governing Law. This DPA and all claims or causes of action (whether in contract or tort) that may be based upon, arise out of or in any way relates to this DPA, will be governed by and construed in accordance with the laws identified in the Services Agreement, except to the extent that Data Protection Laws require otherwise. In such event, and to the extent so required, this DPA will be governed in accordance with such Data Protection Laws and, if applicable, be subject to the jurisdiction of the relevant data exporter that exported the Personal Data.
10.3 Changes in Data Protection Law. Eton will enter into any further agreement reasonably requested by Client for purposes of compliance with Data Protection Laws. In case of any conflict between this DPA and any such further privacy, confidentiality, security or data protection written agreement, such further written agreement shall prevail with regard to the Processing of Personal Data to which it applies.
10.4 Entire Agreement/Amendments. This DPA comprises the entire agreement between Client and Eton with respect to the subject matter hereof, and there are no other agreements, understandings, conditions, or representations, oral or written, expressed or implied, relating to the subject matter hereof, that are not merged into this DPA or superseded by it. No amendment to this DPA will be valid unless made in writing and signed by authorized representatives of all parties.
10.5 Third Party Beneficiaries. To the extent this DPA benefits and/or relates to Client’s Affiliates, such Affiliates shall be third- party beneficiaries of this DPA for all purposes, including, without limitation, enforcing the provisions hereof.
10.6 Counterparts/Electronic Signature. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. This DPA or any counterpart may be exchanged electronically or stored electronically as a photocopy (such as in .pdf format). The parties agree that such electronically exchanged or stored copies will be enforceable as original documents. The parties hereby consent to the use of electronic and/or digital signatures for the execution of this DPA and further agree the use of electronic and/or digital signatures will be binding, enforceable and admissible into evidence in any dispute regarding this DPA.
The Client and Eton, each through its duly authorized representative, agree to the terms and conditions of this DPA as of the Effective Date.
Appendix 1 Schedule of Processing
The following Client Personal Data may be transferred and Processed for the below purposes. If applicable, this Appendix shall form part of the SCCs, which are deemed signed by the parties upon signature to the Services Agreement. As applicable, Section A below shall form part of the Controller-to-Processor SCCs.
Data exporter: The data exporter refers individually and collectively to Client and its Affiliates (as defined in the applicable Services Agreement), established in the European Economic Area (EEA), Switzerland and the United Kingdom.
Data importer: The data importer is Eton if established outside the EEA, Switzerland and the United Kingdom. Eton will also be regarded as data importer when Personal Data is transferred from the EEA or Switzerland to the United Kingdom.
Section A (Processing of Client Personal Data)
Subject-matter: The data exporter may transfer Client Personal Data to data importer in connection with the service and/or product provided by Eton under the Services Agreement.
Duration of the Processing: For the duration of the Services Agreement.
Data subjects: The Client Personal Data transferred may concern the following categories of Data Subjects (please specify):
- Third party vendors and suppliers, including advisors, consultants, professional experts and marketing contacts (who are natural persons) and their employees.
- Additional data subjects may be outlined in a statement or work, purchase order or order form under the Services Agreement.
Categories of data: The Client Personal Data transferred may concern the following categories of data (or a subset of) (please specify):
- Names and contact information (including home and business address)
- Financial and govt ID info
- Banking information
- Additional data categories may be outlined in a statement or work, purchase order or order form under the Services Agreement.
Special categories of data (if appropriate): The Client Personal Data transferred may concern the following special categories of data (please specify):
- None expected.
Nature, purpose of the Processing and Processing operations: The Client Personal Data transferred will be subject to the following basic processing activities (please specify):
The Data Importer will process the Data Exporter’s Client Personal Data as set forth in the Services Agreement in connection with providing its services and/or products. This may include any operation such as the transfer of data and any collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Client Personal Data (whether or not by automated means).
The following details Eton’s’ administrative, physical, technical and organizational security measures with respect to the Processing of Personal Data. If applicable, this Appendix forms part of the Standard Contractual Clauses and are deemed signed by the parties upon signature to the Services Agreement.
Eton has implemented multiple layers of control aligned to SSAE SOC 2 Type 2 to protect Information Assets.
- Cybersecurity awareness and hygiene
- Background verification (Criminal, education, previous employment, credit checks to name a few)
- Employee Handbook
- Newsletters and emails to reinforce Cybersecurity awareness.
- Information Security Policy and Procedures
- Acceptable use policy
- Disciplinary process for breaches
- Change Management Policy
- Incident Response Policy
- BCP and DR practices
- Third Party (vendor) management policy
- Data Classification Policy
- Access to the data on least privileges principle:
- Clear Desk Clear Screen policy.
- Physical access controls
- Role Based Access Controls with granular role definition.
- Encryption of data at rest, in process and in transit
- Laptop encryption using Windows Bit Locker encryption.
- All remote access through VPN
- Multi-Layered network protection by using routers, proxy servers, L7 Firewall, WAF
- Intrusion Detection System
- Monitoring of logs, incident detection and response
- Device hardening policy.
- Backup and Recovery
- Azure Security Centre
- Azure Key Vault
- Patch Management
- Anti-Malware and AV engine