Salesforce Data Processor Agreement

1.5 FormAssembly may charge third parties to process personal data (« subprocessors ») for subscribers, subject to FormAssembly: 1.6 Within 30 days of the designation of the new subprocessor, the subscriber may object in writing to FormAssembly. If the subscriber objects, FormAssembly will make reasonable efforts to demonstrate the subscriber`s opposition. If the subscriber`s objection cannot be properly sampled, any party can terminate the contract after a 30-day written notification. This is the only and exclusive recourse of the subscriber. The data importer must not invoke a breach of its obligations by a subcontractor processor in order to avoid its own commitments. (j) make available to the person concerned, at his request, a copy of the clauses or an existing contract for sub-treatment, unless the clauses or contract contain commercial information, in which case they may withdraw this commercial information, with the exception of Appendix 2, which is replaced by a summary description of security measures in cases where the person concerned is unable to do so. Obtain a copy from the data exporter (c) that it implemented the technical and organizational security measures covered by Appendix 2 prior to the processing of personal data transmitted; 1.2 Each party will fulfil its respective obligations under data protection legislation as responsible for processing or processing data (if any) with respect to the processing of subscribers` personal data within the framework or in connection with the agreement. 5.1 Enter the categories of people involved who are subject to treatment, for example. B users, employees. (e) any legally binding request for disclosure of personal data by a law enforcement service, unless otherwise stated, such as a criminal prohibition. B in order to preserve the confidentiality of a criminal investigation; b) the « data exporter » the person responsible for the processing of the personal data; 1.10 Subject to a maximum request for review over a 12-month period, FormAssembly, after proper notice, contributes to audits conducted by the subscriber (or any other reviewer mandated by the subscriber) for the purposes covered by Section 1.9, provided that the subscriber (or any other reviewer mandated by the subscriber) is bound by appropriate confidentiality obligations.

For section 1.9, the subscriber may conduct an on-site audit at their own expense if (a) FormAssembly informs the subscriber of a security breach; (b) the subscriber reasonably considers formAssembly to be inconsistent with its data security obligations in accordance with this issuance, including the referenced schedules, or (c) on-site control is required by the Data Protection Act. To the extent that data protection legislation allows, FormAssembly can respond to a review request by providing the subscriber with a copy of an independent audit report (which may be made necessary to ensure confidentiality).