DPA Edgehood Data Processing Agreement

This DPA, as defined below, forms part of the Contract for Services under the Edgehood Customers Terms and Conditions (the “Principal Agreement”), between a Edgehood Application Customer (the “Customer”, or the “Data Controller”) and Openhood SARL (“Openhood”, or the “Data Processor”) (together as the “Parties”).

This DPA is an amendment to the Principal Agreement and is effective upon its incorporation to the Principal Agreement, which incorporation may be specified in the Principal Agreement or an executed amendment to the Principal Agreement. Upon its incorporation into the Principal Agreement, this DPA will form a part of the Principal Agreement. The term of this DPA is the same as the term of the Principal Agreement.


(A) The Customer acts as a Data Controller.

(B) The Customer wishes to subcontract certain Services, which imply the processing of personal data on its behalf, to the Data Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.


1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

1.1.1 “DPA” means this Data Processing Agreement and all Schedules;

1.1.2 “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Principal Agreement;

1.1.3 “Contracted Processor” means a Subprocessor;

1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 “EEA” means the European Economic Area;

1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.8 “Data Transfer” means: a transfer of Customer Personal Data from the Customer to a Contracted Processor; or an onward transfer of Customer Personal Data from a Contracted Processor to a subcontracted processor, or between two establishments of a Contracted Processor;

1.1.9 “Services” means the services Passbolt provides. The data processing performed by the Data Processor on behalf of the Controller relates to the services of credentials and password management. The data processing details and procedure can be found in the Edgehood Privacy Policy.

1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Description of the Processing

2.1 The subject matter, duration, nature and purpose of the Processing as well as the type of Personal Data and categories of Data Subjects are set out in Schedule 1 (Details of Processing).

3. Instructions and purpose

3.1 Processor

The Controller confirms that is has assessed, established and documented, based on information exchanged and the Processor’s expert knowledge, reliability, resources and reputation, that the Processor provides sufficient guarantees to implement appropriate technical and organisational measures so that the Processing meets the requirements of the GDPR.

3.2. Documented instructions

3.2.1 The Processor shall Process the Personal Data in accordance with the documented instructions of the Controller, including as described in the Principal Agreement and this DPA, and this is the sole purpose for which the Processor may Process the Personal Data. The Controller confirms that the Processor’s obligations under the Principal Agreement and this DPA constitute instructions to be followed by the Processor.

3.2.2 Any further instructions to Process Personal Data may be sent by email by the Controller to the authorised representative of the Processor at contact details provided by the Processor or making use of the contact details as set out in Section 13.2 of this DPA.

3.2.3 Notwithstanding 3.2.1 above, the Processor may also Process and/or transfer Personal Data as required by applicable EU or EU Member State law. In case of such requirement of EU or EU Member State law, the Processor shall inform the Controller of that legal requirement before Processing the Personal Data, unless that law prohibits such information to be provided to the Controller on important grounds of public interest.

3.2.4 The Processor shall immediately inform the Controller if, in its opinion, any instruction given by the Controller infringes any Data Protection Laws. The Controller shall respond to such notification from the Processor within 10 Business Days. In case of inaction from the Controller or in case the Controller persists with an unlawful instruction, the Processor shall be allowed to terminate this DPA, without indemnity, other notice or the prior intervention of a judge.

3.3 Controller’s obligations

3.3.1 The Controller warrants and guarantees that (i) it has lawfully obtained the Personal Data, (ii) the Processing of the Personal Data by the Processor is lawful and has specific purpose, (iii) any required notices have been made and (iv) consent has been obtained (where applicable) or there is another appropriate lawful Processing ground enabling (a) the Controller to transfer the Personal Data to the Processor and the Processor to receive the Personal Data from the Controller and (b) the Processor to lawfully Process the Personal Data.

3.3.2 The Controller shall inform the Processor as to the risk involved in the Processing and as to any other circumstance the Processor should reasonably be informed about in order to comply with this DPA.

3.4 Compliance with Data Protection Laws

In the course of the provision of the Services and the resulting Processing of Personal Data, the Parties shall comply with all Data Protection Laws as applicable to each Party respectively.

4. Security

4.1 Processor shall take reasonable steps to ensure the reliability of any of its employees, agents or contractors or those of any Contracted Processor, who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4.2 The Processor shall at all times take all appropriate technical and organisational measures to secure the Personal Data which are or will be Processed by the Processor on behalf of the Controller against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. These security measures shall include the measures set out in Schedule 2 (Passbolt’s TOM) which are deemed to be approved by the Controller. The Processor will use reasonable efforts to ensure an appropriate level of security, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects. The measures shall also aim at preventing unnecessary collection and further Processing of Personal Data.

4.3 The Processor shall obtain the Controller’s approval before making any material changes to its technical and organisational security measures. The Controller shall not unreasonably withhold approval for such changes.

4.4 In order to maintain an appropriate level of security as described in paragraph 4.2 above, the Processor shall perform regular security checks and implement updates where required.

4.5 Taking into account the nature of the Processing, the Processor shall provide the Controller with reasonable assistance in relation to the Controller’s obligation to adopt adequate technical and organisational security measures.

5. Subprocessing

5.1 Controller’s authorisation

5.1.1 The Processor may not engage another Contracted Processor without the Controller’s prior written authorisation. As a general written authorisation, the Processor is allowed to appoint Contracted Processors to Process Personal Data under this DPA, provided that such Contracted Processor provide sufficient guarantees to implement appropriate technical and organisational measures so that the relevant Processing meets the requirements of the GDPR.

5.1.2 The Controller is deemed to have authorised in writing the Processing of Personal Data by the Contracted Processors as listed in Schedule 3 (Approved Contracted Processors).

5.1.3 The Processor shall notify the Controller in writing of any intended changes concerning the addition or replacement of other Contracted Processors, thereby giving the Controller the opportunity to object to such changes. Objections by the Controller must be accompanied by a written justification, e.g. demonstrating that a Contracted Processor cannot ensure adequate protection of the Personal Data. If, within 10 Business Days of receipt of this notice, the Controller has not provided any reasonable objection to the intended change, the Controller is deemed to have authorised the intended change.

5.1.4 The Processor shall remain fully and unconditionally liable to the Controller for the Contracted Processor performance of any obligation or part of it arising out of the Principal Agreement, this DPA or any other agreement between the Controller and the Processor.

5.1.5 The Processor shall maintain a list of Contracted Processors including, to the extent reasonably possible, their respective locations, activities and the safeguards implemented by them.

5.2 Contract with Contracted Processor

5.2.1 The Processor shall impose on all Contracted Processor written data protection obligations that offer at least the same protection of Personal Data as the data protection obligations to which the Processor is bound on the basis of the Principal Agreement and this DPA. At the Controller’s request, the Processor shall provide the Controller with a copy of any written agreement entered into by the Processor with a Contracted Processor. The Processor may remove any agreed commercial terms from such copies.

6. Personal Data Breach

6.1 Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws. This includes, as appropriate, measures allowing the Processor to access, rectify, erase or restrict Personal Data or providing Personal Data to the Controller in a structured, commonly used and machine-readable format.

6.2 In the event where a Data Subject submits a request to exercise any of its Data Subject rights to the Processor, the Processor shall:

6.2.1 promptly notify the Customer; and

6.2.2 ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform the Customer of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach

7.1 Processor shall notify the Customer without undue delay and in any case within seventy-two (72) hours after becoming aware thereof of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 Processor shall co-operate with the Customer and take commercially reasonable steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

8.1 Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. Deletion or return of Customer Personal Data

9.1 Obligation to delete or return Personal Data

Upon termination of the Principal Agreement, this DPA, or at the written request of the Controller, the Processor shall, at the choice of the Controller, return the Personal Data and all copies thereof to the Controller and/or shall destroy (delete) such Personal Data and all existing copies thereof securely, taking into account its obligations pursuant to Article 32 GDPR. To the extent the Processor cannot comply with the Controller’s request to return and/or destroy Personal Data, because applicable EU or EU Member State statutory provisions require longer storage, the Processor shall inform the Controller of such legal obligation, keep the Personal Data confidential and only Process the Personal Data to the extent required by the applicable EU or EU Member State law.

9.2 Deletion or return term

Any request of deletion or return of Personal Data under this section 10 shall be performed by the Processor within 30 Business Days after the date of the request from the Controller or termination of the Principal Agreement or this DPA, unless otherwise agreed upon at such time by the Parties. The Processor shall confirm in writing that the Processor has returned or destroyed all Personal Data and copies thereof in accordance with the request of the Controller.

10. Audit rights

10.1 The Processor shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA, which may include relevant portions of the Processor’s record of processing activities, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Customer in relation to the Processing of the Customer Personal Data, including by the Contracted Processors.

10.2 Information and audit rights of the Controller only arise under section 11.1 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

10.3 The Controller shall: a. give the Processor reasonable notice of the intention to perform (or have performed) an audit or inspection pursuant to this Section; b. ensure that the audit or inspection is performed in compliance with the Processor’s reasonable confidentiality provisions, as notified by the Processor to the Controller, and c. ensure that reasonable efforts are used to minimise any disruption to the business of the Processor caused by the performance of the audit or inspection.

11. Data Transfer

11.1 The Processor may not transfer or authorize the transfer of Data to countries outside the European Economic Area (EEA) unless the Controller has given its prior written approval and: a. an adequacy decision exists in relation to the non-EEA recipient; b. the transfer of Personal Data is governed by the terms of appropriate EC standard contractual clauses. The Controller hereby mandates the Processor to enter into the EC standard contractual clauses with non-EEA recipients on its behalf; c. the protection of the Personal Data is ensured through application of another appropriate safeguard within the meaning of Article 46 GDPR; or d. in the absence of an adequacy decision or appropriate safeguard, the conditions set forth in Article 49 GDPR, regarding derogations for specific situations, are met.

11.2 When requesting the approval from the Controller under 11.1 above, the Processor shall provide the Controller with information about the relevant country of destination and the relevant data transfer mechanism.

11.3 The Processor shall ensure that all required measures, commitments, certifications and safeguards necessary to be able to rely on any data transfer mechanism are maintained. If a data transfer mechanism relied upon for a transfer under this Section 12 is no longer maintained, requires adjustment or is invalidated as a result of any change in Data Protection Laws or decision of a Supervisory Authority or other competent authority, the Processor shall immediately inform the Controller thereof and take appropriate action. The latter may include the putting in place of an alternative data transfer mechanism to ensure that the transfer(s) remain to be performed in compliance with Data Protection Laws.

11.4 For the avoidance of doubt, any written approval from the Controller to transfer Personal Data to a non-EEA recipient, including the mandate provided under 11.1.b. above, shall constitute a documented instruction within the meaning of Section 3.2 (Documented Instructions).

11.5 The Controller hereby approves transfers of Personal Data to the Contracted Processors listed in Schedule 3 (Approved Contracted Processors) which are non-EEA -recipients, provided the other terms of 11.1 above are met.

12. Confidentiality

12.1 Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.

13. Miscellaneous

13.1 The Processor may require the Customer to reimburse Processor’s costs and expenses in complying with its obligations pursuant to Sections 6 (Data Subject Rights), 4 (Security), 7 (Personal Data Breach), 8 (DPIA and Prior Consultation) and 10 (Audit Rights) subject to these costs and expenses being reasonable.

13.2 Any notices, information and communications under this DPA may be sent by email using the following email addresses:

For the Processor: [email protected] For the Controller: the email used to send invoice to the Customer.

Such contact details may change from time to time and shall be notified by the relevant Party.

13.3 Nothing in this DPA reduces the Processor’s obligations under any other agreement between the Parties in relation to the protection of Personal Data or permits the Processor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by any other agreement between the Parties. In the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.

13.4 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

13.5 The Parties agree that they will amend this DPA if reasonably required to comply with Data Protection Laws.

14. Governing Law and Jurisdiction

14.1 This DPA is governed by the laws of the Grand Duchy of Luxembourg.

14.2 Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the city of Luxembourg.

Date of Last Update

This agreement was last updated on May 21st, 2021.