Rows Logo
  • Home
  • Login

 

ADDENDUM TO THE ROWS SERVICE TERMS OF USE IN RELATION TO EU DATA PROCESSING

Rows Service

 

www.rowsapp.com

This is a supplemental data processing addendum (the ‘Addendum’) which is incorporated therein by reference and shall form part of the Rows Service Terms of Use (https://apps.rowsapp.com/termsofuse) and any ancillary or related documentation as updated or amended, from time to time (the ‘Terms of Use’), between you/the Account Owner and us/Rows Limited (as defined in the Terms of Use).

 

 

Execution and Binding Nature of this Addendum

1. When you, in your quality as Account Owner, use our Service, you will act as a controller (or other processor, as the case may be) of personal data, and we will in turn act as a processor (or sub-processor, as the case may be) of such personal data, under and in accordance with applicable data protection legislation (as defined herein).

 

2.  Customers using cloud services to process personal data are required to have a data processing agreement in place between them (this being, the Account Owner) and their cloud services provider (this being, Us) in order to ensure that any form of processing is conducted in accordance with applicable laws including the GDPR. This Addendum applies if and to the extent that we process personal data of or on behalf of a customer that qualifies as a controller or processor with respect to that personal data under applicable data protection legislation (as defined below).

This Addendum is an integral part of, is included in and supplements our Terms of Use and applies automatically as from 25th May, 2018, whenever you use our Service. There is no extra engagement which is required from you in order to be compliant with the GDPR requirement for data processing terms. If you have signed and executed an offline version you can rely on the provisions of that Addendum. If you had entered into earlier data processing terms with us, those terms are replaced by this Addendum.

 

Except as amended by this Addendum, the Terms of Use shall remain in full force and effect. This Addendum, together with the Terms of Use, are legally binding on you whenever you use our Service and any claims brought under this Addendum shall be subject to the terms and conditions set forth in the Terms of Use. In the event of any conflict or inconsistency as regards the subject matter of this Addendum between this Addendum and the Terms of Use, the provisions of this Addendum shall prevail.

 

We are committed to working along your side to ensure GDPR compliance at all times. Any queries regarding this Addendum should be sent to support@rowsapp.com.

 

Definitions

In this Addendum, the following terms shall have the following meanings:

  • a) ‘controller’, ‘processor’, ‘data subject’, ‘personal data’, ‘processing’ and ‘special categories of personal data’ shall have the meanings given in applicable data protection legislation;
  • b) ‘applicable data protection legislation’ shall mean the EU General Data Protection Regulation, namely Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (the ‘GDPR’), which Regulation became directly applicable on 25th May 2018, and any applicable national laws made under the GDPR, in particular, Chapter 586 of the Laws of Malta, the Data Protection Act (the ‘DPA’), and any subsidiary legislation issued thereunder, as amended or supplemented, from time to time;

 

All capitalised or other terms not defined in this Addendum shall have the meaning set out in the Terms of Use.

 

Data Protection

1. Details of the Processing.

Details of the processing of personal data as regards the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects to whom personal data relates and the obligations and rights of the controller, are briefly set out and outlined in Annex I of this Addendum and further detailed throughout this Addendum as well as the Terms of Use and the Privacy Policy adopted by us which is deemed to form an integral part of the Terms of Use.

 

2. Relationship between the parties to this Addendum.

You appoint us as a processor (or sub-processor), as the case may be, to process personal data as described in/under the Terms of Use (the ‘Data’), on your behalf, for the purposes described and the terms set out in, the Terms of Use, including, for the avoidance of doubt, to provide you with, and update and improve, the Service, or as otherwise agreed in writing by the parties (the ‘Permitted Purpose’). Each party shall comply with the obligations that apply to it under applicable data protection legislation. Irrespective of whether, in the circumstances, we are appointed as a processor or sub-processor, the respective obligations contemplated herein shall be unaffected as we will in either case be deemed to be a processor in your respect in any such event.

 

3. Instructions from the Data Controller

As a processor under applicable data protection legislation, we can only act to the extent and in accordance with the documented instructions for processing we receive from you, in your quality as controller, or, where you act as processor, in accordance with the documented instructions passed on to you in your quality as processor by the controller (the ‘Instructions’). The parties agree that the Terms of Use and this Addendum set out and constitute documented instructions regarding the processing by us of Data.

You shall be responsible for ensuring that you continue to comply with applicable data protection legislation, at all times, and that you have and shall continue to have, the right to transfer and provide access to, the Data, to us, for processing, in accordance with the Terms of Use and the provisions of this Addendum.

 

4. Prohibited Data

You shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to us for processing unless you have been specifically requested by us to do so.

 

5. Restricted International Transfers

We shall not transfer Data outside of the European Union/European Economic Area (‘EU/EEA’) unless we have taken such measures as are necessary to ensure that the transfer is compliant with applicable data protection legislation. Such measures may include, without limitation, transferring the Data to a country that is deemed to afford an adequate level of protection of personal data, equivalent to EU standards, or to a data recipient/importer that has otherwise executed standard contractual clauses or binding corporate rules, where applicable, adopted or approved, as the case may be, by the European Commission. In the event of any conflict or inconsistency between this Addendum and any such standard contractual clauses, the standard contractual clauses shall prevail.

 

6. Confidentiality of Processing and Training

We shall procure that any other person whom we authorise to process Data including employees, agents, contractors and other representatives accessing or otherwise processing Data (an ‘Authorised Person’) is subject to a statutory obligation of confidentiality or otherwise undertakes to protect the confidentiality of such Data in accordance with the confidentiality obligations binding us under the provisions of the Terms of Use. We shall also ensure that all such Authorised Persons are aware of the Terms of Use and this Addendum and have received comprehensive training on applicable data protection obligations and related good practice and are bound by a commitment of confidentiality as afore-described.

 

Sub-processors

You hereby agree that we may appoint and engage third parties as sub-processors to process Data for the Permitted Purpose on our behalf and/or pursuant to your Instructions, provided that:

  • we undertake to impose the same data protection obligations as set out in the Terms of Use and this Addendum, in particular, to provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements and standards prescribed by applicable data protection legislation;

 

  • we shall restrict the sub-processor’s access to Data only to what is necessary in order for us to continue to provide and maintain the Service in accordance with the Terms of Use and this Addendum;
  • we shall remain liable to you for the failure or improper performance of the data protection obligations, as afore-described, of/by the sub-processor; and

 

  • we shall maintain an up-to-date list of our sub-processors on our Website or otherwise provide it to you, upon request, and shall implement a mechanism to notify you in advance of any proposed changes thereto in order to give you the right to object to the appointment of new sub-processors or their replacement, provided that, an objection on your part shall be based on reasonable grounds relating to data protection. In the event of any such objection, we shall, at our discretion, either elect to refrain from making such appointment or replacement, take corrective steps requested by you in order to be able to proceed with the appointment of such sub-processor, or, if this is not reasonably possible and the objection has not been resolved to our mutual satisfaction, we may allow you to suspend or terminate your relationship with us without incurring any penalty, where applicable, with regard to early termination. We reserve the right to change or replace a sub-processor with immediate effect if deemed absolutely urgent and necessary to continue to provide you with the Service, in which case, you will nonetheless retain the right to object to the replacement or the change in the manner afore-described.

 

8. Data Subject Rights and Cooperation

Taking into account the nature of the processing, we endeavour to co-operate and assist you, to the fullest extent of our ability and in a timely manner, in so far as this is possible and reasonable for us to do so, to respond to any inquiries, communications or requests you receive, in your quality as controller or processor, as the case may be, by data subjects seeking to exercise their rights under applicable data protection legislation, including rights of access, correction, restriction, objection, erasure or data portability, as applicable, or to address any other queries or complaints received from data subjects, competent supervisory authorities or other third parties in relation to the processing of Data. We reserve the right to charge a fee based on reasonable costs incurred for the provision of such assistance, details of which fee shall be provided in advance.

 

We also undertake to promptly inform you and provide full details, without undue delay, should we receive any such inquiries, communications, requests or complaints directly, including inquiries or requests for disclosure regarding Data from a competent supervisory or other authority or law enforcement authority.

 

Our Service enables you to activate a number of controls including specific security features and functionalities that you may use to retrieve, correct, delete or restrict Data, which controls may be used to assist you in connection with your respective obligations under the GDPR, including responding to requests from data subjects.

 

You remain responsible for properly configuring the Service and implementing any such control measures to ensure compliance with GDPR requirements including to respond to queries from data subjects regarding their Data.

 

9. Security Measures and Security Incidents

We commit to implementing technical and organisational measures – see Annex II of this Addendum – taking into account the state of the art, the costs of implementation, and the nature, scope, context and purpose of the processing, as well as the risk of likelihood and severity of impact to the rights of data subjects, to protect the Data from any security breach or other incident including the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, the Data (‘Security Incident’).

 

As soon as we become aware of any Security Incident, we undertake to promptly inform you, without undue delay, and shall endeavour to co-operate and assist you, to the fullest extent of our ability, in so far as this is possible and reasonable for us to do so, to enable you to comply with any data breach reporting or notification obligations you may have toward the competent supervisory authority which is concerned by/with the protection of personal data and to data subjects, where applicable, in accordance with applicable data protection legislation. We further undertake to take any and all such reasonable measures and actions to remedy or mitigate the effects of any such Security Incident and to keep you informed of all material developments in connection with the same.v

 

Our undertakings or commitments in the manner here-afore described do not constitute an admission on our part of any fault or liability with respect to any such Security Incident. Furthermore, unsuccessful Security Incidents fall outside the scope of this provision.

 

10. Security Reports and Audits

In addition to the information contained under this Addendum and the Terms of Use, upon your written request and subject to confidentiality obligations pursuant to the Terms of Use or provided there is an applicable non-disclosure agreement (‘NDA’) in force, we may make available to you a copy of our most current security attestation or system audit report (such as SOC 2 or equivalent) that has been drawn up by independent auditors in accordance with industry standards, in the same manner and form that we generally make it available to our customers. Alternatively, we shall cooperate with you to allow you or your independent auditor to conduct an onsite audit of the procedures relevant to the protection of personal data subject to confidentiality and non-disclosure obligations as afore-described. We reserve the right to charge a fee based on reasonable costs incurred for the undertaking of any such audit, details of which fee shall be provided in advance of the audit.

 

11. Data Protection Impact Assessment

If we believe or become aware that our processing of Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, we shall duly inform you and shall endeavour to co-operate and assist you, to the fullest extent of our ability, in so far as this is possible and reasonable for us to do so, to enable you to carry out any data protection impact assessment that may be required under applicable data protection legislation.

 

12. Deletion or Return of Data

Upon expiry or termination of the Terms of Use, and, consequently, upon the termination of your relationship with us contemplated by the Terms of Use, we shall, upon your explicit request, delete or return any Data that is/may be in our possession or control (in a manner and form as we shall reasonably determine), provided that, this shall be without prejudice to the exercise of our rights and obligations under applicable data protection legislation to archive or otherwise aggregate and anonymise Data, or to retain some or all of the Data in which case we shall extend the protections of the Terms of Use and this Addendum to such Data and limit further processing of such Data to only the limited purposes that require or permit retention for as long as we maintain that Data.

 

13. Obligation to demonstrate Compliance

We shall make available to you all information necessary, in so far as this is possible and reasonable for us to do so, to demonstrate our compliance with our obligations under applicable data protection legislation and undertake to carry out audits, including allowing inspections by you or an independent auditor mandated by you, in the manner afore-described.

 

 

 

Annex I

Data Processing Schedule

 

1. Subject Matter and Duration of Processing of Personal Data

We act as a sub-/processor in relation to personal data when we process such data on your behalf in your quality as data controller or other processor, as the case may be. This may include the processing of personal data relating to organisations or persons whom you elected to add as Users of/to the Service or were otherwise added with your authority or as a result of your use of the Service (‘connected organisations’).

 

The duration of processing personal data shall be for as long as we have a business relationship with you and at the end of that relationship, we will act in accordance with the provisions of this Addendum regarding the deletion or return of such personal data.

 

2. Nature and Purpose of Processing Personal Data

The nature and purpose of processing personal data is primarily to be able to provide you with the Service you request from us in accordance with and in furtherance of the performance of the contract allowing you to use the Service, thus enabling the provision, delivery, performance and functionality of the Service in accordance with the Terms of Use and related documentation.

 

3. Types of Personal Data Processed

The types of personal data processed include:

  • contact details
  • billing details
  • other identification details (e.g. tax registration numbers, etc)
  • other personal data types for use on/via the Service

 

4. Categories of Data Subjects

The categories of data subjects include:

  • your customers, suppliers, service providers, contractors, employees and other contacts
  • customers, suppliers, service providers, contractors, employees and other contacts of your own customers

 

 

 

Annex II

Security Measures

 

1. Some of the technical and organisational measures adopted and implemented by us include:

  • we abide by the ‘privacy by design’ principle – our Service was intrinsically designed, developed and built in such a way as to incorporate security features/tools to assist in maintaining and protecting the privacy and integrity of Data in the cloud industry space
  • we apply internal security procedures and measures to control access rights – our employees and other agents who have access to, handle or manage Data, in the course of the performance of their functions, are required to comply with strict security protocols
  • we employ security measures such as using virtual firewalls to protect against intruders and the use of Azure services ensures that traffic arriving to us is legitimate
  • we use technologies such as Secure Socket Layer (‘SSL’) to ensure that data processed by/flowing from us over the internet is encrypted, thereby remaining private and integral
  • our sub-processors and cloud services providers use data centre facilities and servers and employ measures that comply with GDPR requirements, thereby providing protection against the accidental or unlawful loss, access or disclosure of Data, or any other form of unauthorised use of Data or Security Incident, and implementing measures that minimize security risks
  • we employ redundancy plans and backups throughout our network so that if one server goes down, another can cover for it

 

 

These Terms were last updated on 12 May 2021.

Rows Excel Add In for Xero and QuickBooks