Last updated: February 1, 2022
These Data Processing Terms (“DPA” or “Data Processing Terms”), when incorporated by reference into a commercial agreement (“Agreement”) between The Descartes Systems Group Inc. or one of its affiliates (hereafter referred to as “Descartes”) and a Customer, as defined in the Agreement, apply to any Processing of Personal Information performed by Descartes on Customer’s behalf as part of Descartes provision of GLN Services, Data Services, or other services (collectively “Services”). All capitalized terms used in these Data Processing Terms shall have the meaning set out in the Agreement unless otherwise defined in these Data Processing Terms.
Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement and any other attachments thereto and the Data Processing Terms, the Data Processing Terms shall take precedence but only to the extent of the conflict. For greater certainty, where an obligation is not addressed in these Data Processing Terms which is addressed in the Agreement, a conflict shall not be deemed to have arisen.
These Data Processing Terms do not apply to the Processing of any data that does not qualify as Personal Information under Data Protection Regulations.
1. Relationship Between the Parties
Descartes provides one or more Services to Customer under an existing commercial relationship. Descartes and Customer are separate legal entities with independent obligations under Data Protection Regulations. Customer understands that it may have an obligation under Data Protection Regulations to independently determine whether its use of Services complies with Data Protection Regulation. Customer acknowledges that Descartes has not made, and explicitly disclaims, any representations that the use of Services will cause Customer to become compliant with Data Protection Regulations.
Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; for the purposes of this DPA, where Customer acts as processor for another controller, it shall in relation to Descartes be deemed as additional and independent Controller with the respective controller rights and obligations under this DPA.
“Data Subject” means an identified or identifiable living natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Data Protection Regulations” means (a) Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5); (b) the General Data Protection Regulation (Regulation (EU) 2016/679) and applicable laws by EU member states which either supplement or are necessary to implement the GDPR (collectively “GDPR”); (c) the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.198(a)), along with its various amendments (collectively “CCPA”); and (d) any other applicable law related to the protection of Personal Information.
“Model Clauses” means the standard contractual clauses annexed to the EU Commission Decision (EU) 2021/914 of 4 June 2021 for the Transfer of Personal Data to Processors established in Third Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or any successor standard contractual clauses that may be adopted pursuant to an EU Commission decision.
“Personal Information” means any information that relates to a Data Subject that Customer or its Administrative User or Permitted Users provide to Descartes to Process under the Agreement.
“Process” or “Processing” means any operation or set of operations, whether or not by automated means, which is performed upon Personal Information that is stored on computers, servers, or mobile devices owned or maintained by Descartes, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination of otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor List” means the list of Descartes’ Affiliates and/or Third Party Processors who may assist Descartes with some or all of the Processing of Personal Information of the Customer, a copy of the list being accessible at https://www.descartes.com/legal/privacy-center/supplemental-privacy-information.
“Third Party Processor” means a third party subcontractor, other than a Descartes’ Affiliate, engaged by Descartes, which, as a part of the subcontractor’s role in providing services under the Agreement, will Process Personal Information of the Customer.
3. Controller and Processor of Personal Information
Customer shall remain the Controller of the Personal Information for the purposes of the Agreement, including under this DPA. Customer is responsible for compliance with its obligations as a Controller under the Data Protection Regulations and, in particular, for the basis of any transmission of Personal Information to Descartes (including providing any required notices and obtaining any required consents and authorizations), and for its decisions and actions concerning the Processing and use of Personal Information. Customer will not provide Descartes with access to any special categories of Personal Information, as defined under the Data Protection Regulations, or any health, payment card, or similar information that imposes specific data security obligations for the processing of such Personal Information unless permitted in the Agreement.
Descartes is a Processor of the Personal Information for the purposes of the Agreement. Descartes will Process Personal Information as necessary for the purposes of the Agreement in accordance with this DPA and will not disclose Personal Information to third parties other than to Descartes’ Affiliates or Third Party Processors for the aforementioned purposes or as required by law.
4. Types of Personal Information
Customer authorizes and requests that Descartes Process the necessary types of Personal Information required to fulfill the Agreement, which shall includeonly of :
a) personal contact information of Customer’s employees, trading partners or contractors (such as name, home address, home telephone number, mobile number or email address, etc.);
b) transactional data (such as details of goods and services purchased, value of purchase, VAT registration number, delivery addresses, or names and contact information of shippers, receivers, or other individuals involved in the transportation or movement of the goods); and
c) where required, identification data (such as government ID numbers if required by a government when information is submitted to or received from that government).
5. Processing Instructions
Customer authorizes Descartes to Process Personal Information for the following purposes only:
a) providing the requested Descartes product or service under the Agreement;
b) communicating about the Descartes product or service including confirming the provision of all or part of the product or service;
c) handling or preparing for disputes or litigation;
d) complying with Customer’s written instructions in accordance with Section 5;
e) to comply with Descartes’ legal or regulatory obligations; and
f) for no other reason unless provided for under the Data Protection Regulations.
To the extent Descartes receives additional instructions for the Processing of Personal Information, Descartes will comply with such instructions to the extent necessary for: (i) Descartes to comply with its Processor obligations under the Data Protection Regulations; and (ii) to assist Customer in complying with its Controller obligations under the Data Protection Regulations in relation to the Agreement, which may include but is not limited to reasonably assisting Controller in the performance of any required data protection impact assessment or prior consultation with regulatory authority specified under Data Protection Regulations as it relates to the Processing or intended Processing by Descartes. Without prejudice to Descartes’ obligations under this Section 5, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by Descartes to comply with Customer’s instructions with regard to the Processing of Personal Information that require the use of resources different from, or in addition to, those normally required for the provision of the product or services under the Agreement.
Customer will ensure that its instructions to Descartes for the Processing of Personal Information will, at all times, be lawful and in compliance with the Data Protection Regulations. Descartes will notify Customer if it reasonably believes any instruction or request from the Customer will require Descartes to take any action that Descartes reasonably believes will not be in compliance with the Data Protection Regulations. Descartes shall have no other obligation to act beyond sending such notice to the Customer and is not responsible for performing legal research or providing legal advice.
6. Requests from Data Subjects
In the event Descartes receives any requests from Data Subjects to access, remove, release, restrict, modify, or otherwise limit the Processing of Personal Information, Descartes will promptly provide to Customer a copy of that request to Customer’s designated contact in the Agreement. Descartes will not be responsible for responding directly to the Data Subject’s request, unless otherwise required by law.
Where the Services already provide Customer with sufficient means to comply with any such requests, Customer agrees that it will utilize those means to respond to any Data Subject requests. Customer is responsible for using those means properly in accordance with any documentation or written guidelines provided by Descartes from time to time, and will not hold Descartes responsible for any improper use.
If in the event the Services do not provide any means for Customer to self-manage a specific Data Subject request, Descartes will use commercially reasonable efforts, on Customer’s written instruction, to effect that specific Data Subject request. Notwithstanding the above, at no time shall Descartes have any obligation to alter any records that are maintained as system of record of past transactions, to make any change to any records that would be inconsistent with the purpose for which the Personal Information was originally provided to Descartes for Processing, or to alter any record that Descartes is required to keep by any law or for any regulatory purposes. If Customer requires Descartes to develop or implement any additional or specific means or methods related to the access, deletion, release, correction, modification, or blocking of access to Personal Information on behalf of Customer, Customer and Descartes will mutually agree on the scope of the work that Descartes may be willing to undertake and the reasonable fees, if any, for such work.
7. Cross-Border Transfers Out of the European Union or United Kingdom
Any transfers of Personal Information of Data Subjects out of the European Union or out of the United Kingdom, as the case may be, either to Descartes from Customer, or by Descartes to a Descartes Affiliate or a Third Party Processor, will be subject to the following protections if required by Data Protection Regulations, presented in the order by which they will be applied:
a) Transfer made subject to applicable local laws where Descartes, the Descartes Affiliate, or Third Party Processor is located within a jurisdiction deemed by the European Commission, or other similar body, to be a jurisdiction with data protection laws and regulations deemed “adequate” as set out at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en (as amended from time to time).
b) Transfer is subject to the terms of the European Union’s standard Model Clauses (alternatively referred to as the Standard Contractual Clauses and as found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en or other replacement websites as set out by the European Commission) if permitted by applicable Data Protection Regulations.
c) Transfer made subject to any other manner as specified in and permitted by applicable Data Protection Regulations.
8. Additional Processors
Some or all of Descartes obligations under the Agreement may be performed by Descartes’ Affiliates and/or Third Party Processors. Descartes maintains a Processor List, which lists all Descartes’ Affiliates and Third Party Processors that may Process Personal Information on behalf of Descartes. A copy of that list is available at https://www.descartes.com/legal/privacy-center/supplemental-privacy-information or upon request.
The Descartes’ Affiliates and Third Party Processors are required to abide by substantially the same obligations as Descartes under this DPA as applicable to the Processing of the Customer’s Personal Information and, in any event, in a manner that is compliant with the Data Protection Regulations.
Descartes remains responsible at all times for compliance with the terms of this DPA by Descartes’ Affiliates and Third Party Processors. Customer consents to Descartes use of Descartes’ Affiliates and Third Party Processors in the performance of the Services in accordance with this DPA.
If additional Descartes’ Affiliates or Third Party Processors are required to process Customer’s Personal Information in connection with Descartes’ performance under an Agreement, Customer will be notified in advance of changes to the Processor List by way of a subprocessor list update, as described above. The Customer may refuse to consent to the involvement of a Descartes’ Affiliate or a Third Party Subprocessor under this DPA by sending written notice to Descartes of their refusal within ten (10) business days of receipt of notice and providing reasonable and justified, objective grounds relating to such Descartes’ Affiliate or Third Party Processor’s ability to adequately protect Personal Information in accordance with this DPA. In the event that the Customer’s objection is justified, Descartes and Customer will work together in good faith to find a mutually acceptable resolution to address Customer’s objection(s). If Descartes and Customer are unable to reach a mutually acceptable solution within a reasonable timeframe, Customer may immediately terminate the Agreement without obligation, if any is provided under the Agreement, for the payment of any further Fees that otherwise may be due as result of early termination of the Agreement.
9. Security Measures
Descartes shall implement appropriate physical, administrative, organizational, technical, and personal security measures based on the type and nature of the Personal Information being processed and the level of risk associated with it and as required by Data Protection Regulations. Descartes shall retain all Personal Information, including Personal Information that is contained on back-up media, in a logically secure environment that protects it from unauthorized access, modification, theft, misuse and destruction. Descartes shall ensure that platforms hosting the Personal Information are configured to conform to industry standard security requirements and that hardened platforms are monitored for unauthorized change. Descartes’ security policy shall not allow electronic files containing Personal Information to be stored on personal desktops, laptops, or removable data storage devices, unless the device is password protected and the Personal Information is encrypted using industry standard encryption technology. Descartes shall ensure that all employees with access to Personal Information are subject to a duty of confidence and/or written confidentiality agreement.
10. Breach Management and Notification
For the purposes of this section, “Security Breach” means the misappropriation or unauthorized Processing of Personal Information located on Descartes’ systems, including by a Descartes employee, that compromises the security, confidentiality or integrity of such Personal Information or otherwise results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information. Unless prohibited by applicable law, upon becoming aware of the Security Breach, Descartes will: (i) within seventy two (72) hours, or sooner as required by applicable law, provide to Customer a notification of the occurrence of the Security Breach; (ii) within five (5) business days, or sooner as required by applicable law, provide to Customer a summary report of the Security Breach containing details of the Security Breach, its impact on the services under the Agreement and the Personal Information and the initial steps taken by Descartes to address the Security Breach; and (iii) within fifteen (15) business days, or sooner as required by applicable law, provide to Customer a detailed incident report analyzing the Security Breach and a rectification plan which sets out what steps, if any are appropriate, will be taken to stop and further prevent the Security Breach occurring in the future.
In investigating any Security Breach, Descartes will work to provide to Customer a root cause analysis in order to prevent a recurrence. In addition, unless prohibited by applicable law, Descartes will provide Customer with a summary of the Security Breach and share information about the Security Breach as it becomes available.
11. Security Breach Public Statements
In the event of a Security Breach, the parties agree to coordinate in good faith on developing the content of any related public statements or required notices for the affected Data Subjects and/or notices to the relevant data protection authorities. Unless agreed to otherwise, the controller shall at all times be responsible for communicating with the data subject and any relevant data protection authorities and processor shall refrain from doing so, except that neither party may make any statements or issue any notices that purport to be on the behalf of the other party. Notwithstanding the above, nothing in this DPA shall be interpreted as limiting or restricting either party’s obligations to report to or otherwise communicate with any relevant data protection authority or data subject as required under any applicable Data Protection Regulations.
During the Term of the Agreement, on an annual basis, Descartes will conduct, at no charge to Customer, an SSAE SOC 2, Type I audit of controls relating to the network operations of Descartes through which Personal Information is processed by Descartes under an Agreement. The results of that audit (“Audit Report”) is considered the confidential information of Descartes, and will be provided by Descartes to Customer on request only. The audit will be performed by an independent qualified third party auditor (or similarly qualified person). If a deficiency is identified as result of such audit, Descartes will remediate, as Descartes deems reasonable given the circumstances, within an agreed to and reasonable timeframe. All costs of remediation will be the responsibility of Descartes.
In the event Customer wishes to audit Descartes’ compliance with this DPA, an independent third party auditor mutually agreed to by the parties (the “Auditor”) may, on behalf of Customer and at the expense of Customer, audit Descartes’ compliance with the terms of this DPA up to once per year. The Auditor may perform more frequent audits of the data center facility that Processes Personal Information to the extent required by laws applicable to Customer. Prior to the commencement of any audit, the Auditor must execute a written confidentiality agreement acceptable to Descartes.
To request an audit, Customer must submit a detailed audit plan to Descartes at least four weeks in advance of the proposed audit date, unless a shorter period is required under Data Protection Regulations. The audit plan must describe the proposed scope, duration, and start date of the audit. Descartes will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Descartes’ security, privacy, employment or other relevant policies). Descartes will work cooperatively with Customer to agree on a final audit plan. If the requested audit scope is addressed in an existing Audit Report that was prepared for Descartes within the prior twelve (12) months and Descartes confirms there are no known material changes in the controls audited, Customer agrees, unless restricted by law or other regulatory requirements, to accept those findings in lieu of requesting an audit of the controls already covered by the report, unless prohibited by Data Protection Regulations from doing so.
The audit must be conducted during regular business hours at the applicable facility, subject to Descartes’ policies, and may not unreasonably interfere with Descartes’ business activities.
Customer will provide Descartes any audit reports generated in connection with any audit under this section, unless prohibited by law. The parties agree that the audit report shall be treated as if it was the confidential information of the other parties and be subject to the same protections and obligations as is set out under the Agreement, except that neither party can compel the other to delete, destroy, or return the report. Descartes may use the audit reports only for the purpose of assessing or analyzing the contents of the reports, verifying the conclusions reached in the report, and making changes, modifications, or adjustments to Descartes overall data protection or data security practices. Customer may use the audit reports only for the purpose of confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the parties under the terms of the Agreement.
Any audits requested by Customer are at the Customer's expense. Any request for Descartes to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from, or in addition to, those required for the provision services under the Agreement. Descartes will seek the Customer's written approval and agreement to pay any related fees before performing such audit assistance.
13. Legally Required Disclosures
Except as otherwise required by law, Descartes will promptly notify Customer of any requirement of a governmental agency or by operation of law (a “Demand”) that it receives and which relates to the Processing of Personal Information. At Customer’s request, Descartes will provide Customer with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Customer to respond to the Demand in a timely manner. Customer acknowledges that Descartes has no responsibility to interact directly with the entity making the Demand, unless required by Data Protection Regulations or other applicable law to do so.
14. Destruction of Personal Information
In addition to complying with Descartes standard data retention practices which shall reasonably ensure that Personal Data is properly disposed of within a reasonable period of time after termination or expiration of the Agreement, if requested by Customer at any time during the term of the Agreement, Descartes will, within a commercially reasonable period of time, destroy or render unreadable all Personal Information received by Descartes from Customer using appropriate methods of data destruction based on current industry standards, except where the Data Protection Regulations or local law provide for that Personal Information to be preserved or maintained. Written confirmation that the Personal Information was destroyed or rendered unreadable can be provided upon request.
15. CCPA Specific Provisions
For the purposes of the CCPA, Descartes and Customer agree that:
a) Descartes is service-provider to the Customer;
b) Descartes, as a for-profit entity, processes the Personal Information provided to it by Customer on behalf of Customer, solely for the purposes of fulfilling the Agreement and at Customer’s direction, which Customer shall always provide to Descartes in writing; and
c) Descartes will not sell, trade, rent, loan, or otherwise exchange for consideration, whether monetary or otherwise, any Personal Information provided to it by Customer with any other third-party.
Should any provision of this DPA be determined to be invalid or unenforceable by a court of competent jurisdiction or applicable regulatory authority, the remainder of this DPA shall remain valid and in force unless expressly stated by that same court or regulatory authority, as the case may be. The invalid or unenforceable provision shall either be (a) amended as necessary to ensure its validity and enforceability, while preserving each party’s intentions as closely as possible, or if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
[End of Data Processing Terms.]