Se Connecter English
Close ×
Close ×

TimeControlOnline Master Subscription Addendum

This Data Processing Addendum ("ADDENDUM") is effective as of the 7th of May, 2018, forms part of the TimeControl Online Master Subscription Agreement ("Agreement") between Client and Heuristic Management Software Inc. ("HMS Software", “HMS”) and applies where, and to the extent that, HMS Software processes Personal Data on behalf of Client when providing the Service under the Agreement. All capitalized terms not defined in this ADDENDUM shall have the meanings set forth in the Agreement.

A signed PDF version of this Addendum, is available at: www.timecontrol.com/pdf/tco_addendum_may2018.pdf.

Definitions

“HMS Software” shall mean Heuristic Management Software Inc., a Canadian federally incorporated company headquartered at 189 Hymus, Suite 402, Pointe Claire, Quebec H9R 1E9 Canada

“HMS” shall mean Heuristic Management Software Inc., a Canadian federally incorporated company headquartered at 189 Hymus, Suite 402, Pointe Claire, Quebec H9R 1E9 Canada

"Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with HMS Software.

"Agreement" means the TimeControl Online Master Subscription Agreement.

"Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" will be construed accordingly.

"EU Data Protection Law" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive"); and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR").

"Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.

"Model Clauses" means the Standard Contractual Clauses for Data Processors as approved by the European Commission in Decision 2010/87/EU and in the form set out in Annex B.

"Processing" has the meaning given to it in the GDPR and "process", "processes" and "processed" will be interpreted accordingly.

"Sub-processor" means any Data Processor engaged by HMS Software or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this ADDENDUM. Sub-processors may include third parties or members of the HMS Software Group.

"Data Controller" means an entity that determines the purposes and means of the processing of Personal Data.

"Data Processor" means an entity that processes Personal Data on behalf of a Data Controller.

"Group" means any and all Affiliates that are part of an entity's corporate group.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Privacy Shield" means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self- certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017, respectively.

"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Client Data.

Scope of this Addendum

Scope of ADDENDUM: This ADDENDUM applies where and only to the extent that HMS Software processes Client Data on behalf of Client in the course of providing the Service to the Client pursuant to the Agreement.

Roles and Scope of Processing

Role of the Parties: As between HMS Software and Client, Client is the Data Controller of Client Data and HMS Software shall process Client Data only as a Data Processor acting on behalf of Client.

Client Processing of Client Data: Client agrees that (i) it will comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Client Data and any processing instructions it issues to HMS Software; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary for HMS Software to process Client Data pursuant to the Agreement and this ADDENDUM.

HMS Software Processing of Client Data: As a Data Processor, HMS Software will process Client Data only for the purpose of providing the Service and in accordance with Client’s documented lawful instructions, as set forth in the Agreement and this ADDENDUM. The parties agree that the Client’s complete and final instructions with regard to the nature and purposes of the processing are set out in this ADDENDUM. Processing outside the scope of these instructions (if any) will require prior written agreement between Client and HMS Software with additional instructions for processing.

Third Party Platform: Client may utilize optional features or functionality, in Client’s sole discretion, provided by third party service providers ("Third Party Platform") in the course of using the Service. Client acknowledges that Third Party Platform will be Data Processor in respect of any Personal Data provided to the Third Party Platform by the Client For clarity, such Third Party Platform is not a Sub-processor of HMS Software and not subject to the provisions of this ADDENDUM. In the case of Third Party Platform, once the Personal Data has left HMS Software systems and is under the processing responsibility of such Third Party Platform, HMS Software has no further responsibility for such Personal Data under this ADDENDUM.

Details of Data Processing:

Subject matter: The subject matter of the data processing under this ADDENDUM is the Client Data.

Duration: As between HMS Software and Client, the duration of the data processing under this ADDENDUM is the term of the Agreement.

Purpose: The purpose of the data processing under this ADDENDUM is the provision of the Service to the Client.

Nature of the processing: HMS Software provides a cloud-based timesheet system called “TimeControl Online” ("Platform") which enables its Clients to collect and harness time data, and other such professional services as described in the Agreement. HMS Software processes Client Data upon the instruction of Client in accordance with the terms of the Agreement.

Categories of data subjects: Employees, contractors, agents, advisors, freelancers (past, potential, present and future) of Client (who are natural persons); prospects, Clients, business partners, and vendors of Client (who are natural persons).

Types of Client Data: First and Last name, email, job title, time spent on work related tasks, time spent on personal time

Sensitive Personal Data

Prohibited Data: Client shall not disclose (and shall not permit any data subject to disclose) any Sensitive Personal Data to HMS Software, including but not limited to information submitted through custom field extensions within the Platform, for processing that are not expressly disclosed in Details of Processing Section above. Where Sensitive Personal Data is nevertheless submitted within Client Data, Client acknowledges that in such cases it shall be in breach of the Agreement (including this ADDENDUM) and accepts full responsibility for any subsequent liability arising from unauthorized or unlawful processing of the Sensitive Personal Data.

Sub-Processing

Authorized Sub-processors: Client agrees that in order to provide the Service, HMS Software may engage Sub-processors to process Client Data. HMS has engaged Amazon and its EC2 Platform as a storage and processing infrastructure for TimeControl Online.

Sub-processor Obligations: Where HMS Software authorizes any Sub-processor as described below

  • HMS Software will restrict the Sub-processors access to Client Data only to what is necessary to assist HMS Software in providing or maintaining the Service, and will prohibit the Sub-processor from accessing Client Data for any other purpose;
  • HMS Software will enter into an agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Client Data to the standard required by Data Protection Laws and;
  • HMS Software will remain responsible for its compliance with the obligations of this ADDENDUM and for any acts or omissions of the Sub-processor that cause HMS Software to breach any of its obligations under this ADDENDUM.

HMS Software will provide Client with at least 30 days' notice to clients if it intends to make any changes to its Sub-processors. Client may object in writing to HMS Software’s appointment of a new, or replacement of an old, Sub-processor within ten (10) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Client may suspend or terminate the Agreement (without prejudice to any fees incurred by Client prior to suspension or termination).

Security Measures and Security Incidence Response

Security Measures: HMS Software has implemented and will maintain appropriate technical and organizational security measures to protect Client Data from Security Incidents and to preserve the security and confidentiality of the Client Data ("Security Measures"). The Security Measures applicable to the Service are set forth in Annex A, as updated or replaced from time to time in accordance with Section below entitled “Updates to Security Measures”.

Updates to Security Measures: Client acknowledges that the Security Measures are subject to technical progress and development and that HMS Software may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by the Client.

Personnel: HMS Software restricts its personnel from processing Client Data without authorization by HMS Software as set forth in the Security Measures and shall ensure that any person who is authorized by HMS Software to process Client Data is under an appropriate statutory or contractual obligation of confidentiality.

Client Responsibilities: Notwithstanding the above, Client agrees that except as provided by this ADDENDUM, Client is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Client Data when in transit to and from the Service and taking any appropriate steps to securely encrypt or backup any Client Data uploaded to the Service.

Security Incident Response: Upon becoming aware of a Security Incident, HMS Software will notify Client without undue delay and will provide information relating to the Security Incident as it becomes known or as is reasonably requested by Client. HMS Software will also take reasonable steps to mitigate and, where possible, to remedy the effects of, any Security Incident.

Audit Reports

Audit Reports: HMS Software audits its compliance against data protection and information security standards on a regular basis. Such audits are conducted internally using the standards set by OWASP (www.owasp.org) Upon Client's request, HMS Software will provide Client with details of the audits it conducts relevant to the Service it is providing to Client.

Confidentiality of Audit Reports: The Client acknowledges that each Report will constitute HMS Software's Confidential Information and will protect the Report in accordance with the confidentiality provisions of the Agreement.

In addition to HMS Software’s audits, additional information about HMS Software’s sub-processor, Amazon EC2 including their certificates from 3rd party audits can be found at aws.amazon.com/security. Amazon, has successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1), Type 2 report, published under both the SSAE 16 and the ISAE 3402 professional standards as well as a Service Organization Controls 2 (SOC 2) report. In addition, AWS has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). In the realm of public sector certifications, AWS has received authorization from the U.S. General Services Administration to operate at the FISMA Moderate level, and is also the platform for applications with Authorities to Operate (ATOs) under the Defense Information Assurance Certification and Accreditation Program (DIACAP).

Transfers of Personal Data

Data center locations: Unless by mutual agreement between Client and HMS Software, HMS Software will maintain all Client data in its Sub-Processor Data Center in the United States which is subject to Privacy Shield regulations. Client may elect to have all data hosted in a client center in one of several data centers in other countries for a fee. HMS will provide a list of potential Data Center Locations at the request of Client. Under no circumstance will Personal Data be moved by HMS to any other country without the express consent of Client.

Return or Deletion of Data

Following expiration of the Agreement, HMS Software shall delete or return to Client at Client's choice all Client Personal Data in its possession in accordance with the terms of the Agreement save to the extent HMS Software is required by applicable law to retain some or all of the Client Personal Data (in which case, HMS Software shall implement reasonable measures to isolate the Client Data from any further processing).

Cooperation

The Service provides Client with a number of controls that Client may use to retrieve, correct, delete, or restrict Client Data, which Client may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Client is unable to independently access the relevant Client Data within the Service, HMS Software shall (at Client's expense) provide reasonable cooperation to assist Client to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made directly to HMS Software, HMS Software shall not respond to such communication directly without Client's prior authorization, unless legally compelled to do so. If HMS Software is required to respond to such a request, HMS Software will promptly notify Client and provide it with a copy of the request unless legally prohibited from doing so.

If a law enforcement agency sends HMS Software a demand for Client Data (for example, through a subpoena or court order), HMS Software will attempt to redirect the law enforcement agency to request that data directly from Client. As part of this effort, HMS Software may provide Client’s basic contact information to the law enforcement agency. If compelled to disclose Client Data to a law enforcement agency, then HMS Software will give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy unless HMS Software is legally prohibited from doing so.

To the extent HMS Software is required under EU Data Protection Law, HMS Software will (at Client's expense) provide reasonably requested information regarding the Service to enable the Client to carry out data protection impact assessments and prior consultations with data protection authorities as required by law.

General

The parties agree that this ADDENDUM shall replace and supersede any existing ADDENDUM (including the Model Clauses (as applicable)) the parties may have previously entered into in connection with the Service.

Except for the changes made by this ADDENDUM, the Agreement remains unchanged and in full force and effect, including, but not limited to, the mutual indemnities provided by the parties. If there is any conflict between this ADDENDUM and the Agreement, this ADDENDUM shall prevail to the extent of that conflict. For the avoidance of doubt, any claim or remedies the Client may have against HMS Software, any of its Affiliates and their respective employees, agents and sub-processors arising under or in connection with this ADDENDUM, including: (i) for breach of this ADDENDUM; (ii) as a result of fines (administrative, regulatory or otherwise) imposed upon Client; (iii) under EU Data Protection Law, including any claims relating to damages paid to a data subject; and (iv) breach of its obligations under the Model Clauses, will be subject to any limitation of liability provisions (including any agreed aggregate financial cap) that apply under the Agreement. Client further agrees that any regulatory penalties incurred by HMS Software in relation to the Client Data that arise as a result of, or in connection with, Client’s failure to comply with its obligations under this ADDENDUM or any applicable Data Protection Laws shall count toward and reduce HMS Software’s liability under the Agreement as if it were liability of the Client under the Agreement.

No one other than a party to this ADDENDUM, their successors and permitted assignees shall have any right to enforce any of its terms.

Any claims against HMS Software or its Affiliates under this ADDENDUM shall be brought solely against the entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual's data protection rights under this ADDENDUM or otherwise.

This ADDENDUM and the Model Clauses will terminate simultaneously and automatically with the termination or expiry of the Agreement.

The provisions of this ADDENDUM are severable. If any phrase, clause, or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this ADDENDUM shall remain in full force and effect.

This ADDENDUM will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

Language of Agreement

The parties have expressly requested that this agreement be written in the English language. Les parties ont expressément demandé que ce contrat soit rédigé en langue anglaise.