This Data Processing Addendum and its annexures ("DPA") reflect the agreement between Ahrefs and Customer (as defined below), together referred to as the "Parties", with respect to the Processing of Customer Personal Data (as defined below) by Ahrefs under its Terms and Conditions of use and Privacy Policy (the "Agreement").
In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA will control.
For the purposes of this DPA, the following terms have the following meanings.
"Affiliate" means an entity that owns or controls, is owned or controlled by or is under common ownership or control with the subject entity, where “control” means the power to direct the management or affairs of an entity and “ownership” means the beneficial ownership of fifty percent (50%) or more of the voting securities or other equivalent voting interests of the subject entity;
"Ahrefs" means Ahrefs Pte Ltd (UEN No. 201227417H) 16 Raffles Quay #33-03 Hong Leong Building Singapore 048581;
"Controller" means the entity which determines the purposes and means of the processing of Personal Data;
"Customer" means the entity that enters into the Agreement with Ahrefs for use of or access to the Service;
"Customer Personal Data" means any and all Personal Data processed (or required to be processed) by Ahrefs on the Customer’s behalf in providing the Service or performing any other obligations under the Agreement;
"Data Protection Law" means all applicable legislation, laws and regulations relating to data protection and data privacy including, without limitation, the GDPR and the PDPA as applicable;
"GDPR" means the European Union General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of Personal Data and on the free movement of such data, as may be amended or replaced from time to time;
"PDPA" means the Personal Data Protection Act 2012 that sets out the law on data protection in Singapore, as may be amended from time to time;
"Personal Data Breach" means personal data or personal information (as defined under the applicable Data Protection Law) that is subject to the applicable Data Protection Law;
"Personal Data" means personal data or personal information (as defined under the applicable Data Protection Law) that is subject to the applicable Data Protection Law;
"Processor" means an entity which processes Personal Data on behalf of a Controller;
"Service" means the services provided by Ahrefs to the Customer, governed by the terms under the Agreement;
This DPA consists of 2 parts: the main body of the DPA and its annexes, Annexes A, B and C. To the extent they are applicable, the main body of the DPA and Annex C apply by way of incorporation to the Agreement.
The EU Standard Contractual Clauses ("SCCs") at Annex A and Annex B have been pre-signed on behalf of Ahrefs. To enter into the relevant SCCs, Customer must:
Complete and sign Annex I of the SCCs; and
Send the signed page to their Ahrefs' representative.
The SCCs will become legally binding upon receipt of Ahrefs of the validly signed SCCs by email.
The EU Standard Contractual Clauses Module 2 (Controller to Processor) at Annex A applies where Customer or Customer's Affiliate in the European Economic Area or Switzerland (for purposes of this DPA, together the "EEA") transfers Personal Data to Ahrefs and where the Customer is the Controller and Ahrefs is the Processor.
The EU Standard Contractual Clauses Module 3 (Processor to Processor) at Annex B applies where Customer or a Customer Affiliate in the EEA transfers Personal Data to Ahrefs and where the Customer is a Processor and Ahrefs is also a Processor.
The Data Transfer Agreement at Annex C applies where Customer or a Customer Affiliate in non-EEA countries transfers Personal Data to Ahrefs.
In the event of any conflict between the terms of this DPA and the annexures, the terms of the annexures will control.
Nothing in this DPA shall constitute or be deemed to constitute a partnership or joint venture among the Parties or constitute or be deemed to constitute any Party as the agent or employee of any of the other Parties for any purpose whatsoever and no Party shall have authority or power to bind any of the other Parties or to contract in the name of, or create a liability against, any of the other Parties in any way or for any purpose unless agreed by the applicable Parties in writing.
This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of Singapore.
Parties irrevocably agree that the courts of Singapore shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA or its subject matter or formation.
This DPA shall automatically terminate on the expiration or earlier termination of the Agreement.
Customer shall, in its use of the Service, process Customer Personal Data in accordance with the requirements of applicable Data Protection Law. Customer’s instructions for the processing of Customer Personal Data shall comply with the applicable Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data.
The Customer warrants that it has all necessary rights to provide the Customer Personal Data to Ahrefs for the processing of Customer Personal Data in relation to the Service. To the extent required by the applicable Data Protection Law, the Customer is responsible for ensuring that consent of all individuals whose data is to be processed is obtained and for ensuring that a record of such consent is maintained. Should such a consent be revoked by the individual, Customer is responsible for communicating the fact of such revocation to Ahrefs, and Ahrefs remains responsible for implementing any Customer instruction with respect to the further processing of Customer Personal Data that is consistent with the terms of this DPA.
comply with Data Protection Law;
at all times have in place an appropriate security policy with respect to the processing of Customer Personal Data, outlining in any case the measures referenced in Section 3 below.
Ahrefs and Customer shall implement appropriate technical and organizational measures for the security and protection of the Customer Personal Data.
To the extent required by applicable Data Protection Laws, Ahrefs shall notify the Customer without undue delay upon becoming aware of any Personal Data Breach.