HoneyBee
HoneyBee
Processing
This DPA forms part of the HoneyBee Terms of Service, Order Form, Master Services Agreement, Subscription Agreement, or other written contract between the parties (the "Agreement"). It is entered into by and between the Customer identified in the Agreement and HONEYBEE IOT (PTE.) LTD. ("HoneyBee"). Customer and HoneyBee are each a "Party" and together the "Parties".
This DPA applies where HoneyBee processes Personal Data on behalf of Customer in connection with the Services.
This DPA sets out the Parties' rights and obligations with respect to such processing and is intended to satisfy the contractual requirements that apply when a controller appoints a processor under applicable data protection law.
If and to the extent HoneyBee processes Personal Data as a controller in its own right, this DPA does not apply to that processing.
In this DPA:
Capitalised terms not defined here have the meaning given in the Agreement.
3.1 Customer acts as Controller of the Personal Data processed under this DPA, except where Customer itself acts as a processor on behalf of another controller, in which case HoneyBee will act as Customer's subprocessor.
3.2 HoneyBee acts as Processor and will process Personal Data only on behalf of Customer and in accordance with this DPA, the Agreement, and Customer's documented instructions, unless required to do otherwise by applicable law.
3.3 The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex 1 to this DPA.
4.1 HoneyBee will process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do otherwise by applicable law.
4.2 The Agreement, this DPA, Customer's use and configuration of the Services, and any written implementation or support instructions issued by Customer constitute Customer's documented instructions.
4.3 If HoneyBee believes an instruction infringes Applicable Data Protection Law, HoneyBee will inform Customer without undue delay, unless prohibited from doing so by law.
4.4 Customer is responsible for ensuring that its instructions comply with Applicable Data Protection Law.
5.1 HoneyBee will ensure that all persons authorised to process Personal Data are subject to an appropriate duty of confidentiality, whether contractual or statutory.
5.2 HoneyBee will ensure that access to Personal Data is limited to personnel who need such access to perform the Services or comply with legal obligations.
6.1 HoneyBee will implement and maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
6.2 Those measures will take into account: the nature, scope, context, and purposes of the processing; the risks to the rights and freedoms of natural persons; the state of the art; and the costs of implementation.
6.3 HoneyBee's baseline technical and organisational measures are described in Annex 2.
6.4 HoneyBee may update or modify the measures in Annex 2 from time to time, provided that the overall level of security is not materially reduced.
7.1 Customer grants HoneyBee general written authorisation to engage Subprocessors for the processing of Personal Data, provided that HoneyBee complies with this Section.
7.2 HoneyBee will impose data protection obligations on each Subprocessor by written contract that are no less protective than those set out in this DPA, to the extent applicable to the nature of the services provided by that Subprocessor.
7.3 HoneyBee remains responsible for the performance of each Subprocessor's data protection obligations to the extent required by Applicable Data Protection Law and the Agreement.
7.4 HoneyBee will make available a current Subprocessor list or a mechanism by which Customer can obtain information about current Subprocessors.
7.5 Where commercially appropriate, HoneyBee will provide notice of material changes to Subprocessors and give Customer a reasonable opportunity to raise a substantiated objection on data protection grounds.
7.6 If Customer raises a reasonable objection that cannot be resolved, HoneyBee may, at its option:
8.1 Taking into account the nature of the processing, HoneyBee will provide Customer with reasonable assistance through appropriate technical and organisational measures to enable Customer to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law.
8.2 If HoneyBee receives a request directly from a Data Subject relating to Personal Data processed on behalf of Customer, HoneyBee will:
9.1 Taking into account the nature of the processing and the information available to HoneyBee, HoneyBee will provide reasonable assistance to Customer in relation to:
9.2 HoneyBee will provide this assistance to the extent required by Applicable Data Protection Law and proportionate to HoneyBee's role as Processor.
10.1 HoneyBee will notify Customer without undue delay after becoming aware of a Security Incident affecting Personal Data processed on behalf of Customer.
10.2 To the extent known and reasonably available, HoneyBee's notification will include:
10.3 HoneyBee will take commercially reasonable steps to investigate, contain, mitigate, and remediate the Security Incident.
10.4 HoneyBee's notification under this Section does not constitute an admission of fault or liability.
11.1 Upon termination or expiry of the Agreement, and at Customer's choice, HoneyBee will:
unless Applicable Data Protection Law requires continued retention.
11.2 Where the Services provide self-service export functionality, Customer may use those tools to retrieve Personal Data during the applicable export window.
11.3 HoneyBee may retain limited records where required by law, for legitimate security, fraud-prevention, tax, audit, backup, dispute-resolution, or legal-hold purposes, provided that such retained data remains protected in accordance with this DPA.
11.4 If Customer does not make an election, HoneyBee may delete Personal Data after expiry of any applicable retention or export period stated in the Agreement or support documentation.
12.1 HoneyBee will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.
12.2 Where such information is insufficient for Customer's legal obligations, HoneyBee will allow and contribute to reasonable audits or inspections by Customer or an independent auditor mandated by Customer, subject to the following conditions:
12.3 Customer will bear its own audit costs, unless the audit reveals a material breach of this DPA by HoneyBee.
13.1 Where HoneyBee processes Personal Data in a country outside the EEA, the UK, or Switzerland, and Applicable Data Protection Law requires a transfer mechanism, the Parties will implement an appropriate lawful transfer mechanism.
13.2 Where applicable, that mechanism may include:
13.3 If the SCCs are required, they are incorporated by reference into this DPA or may be executed as a separate annex. Where the relevant SCC module already includes the Article 28 requirements, the Parties may rely on that SCC module rather than duplicating equivalent provisions.
13.4 The Parties will complete any required annexes, appendices, or transfer details using the information in Annex 1 and Annex 2 of this DPA, as supplemented where necessary.
14.1 HoneyBee will maintain records of processing activities where required by Applicable Data Protection Law.
14.2 HoneyBee will cooperate reasonably with supervisory authorities or equivalent regulators to the extent required by law in relation to processing under this DPA.
14.3 HoneyBee will promptly inform Customer if, in its opinion, an instruction from Customer violates Applicable Data Protection Law.
15.1 This DPA is subject to the liability limitations, exclusions, and allocation of risk set out in the Agreement, unless Applicable Data Protection Law requires otherwise.
15.2 Nothing in this DPA excludes or limits either Party's liability to the extent such exclusion or limitation is prohibited by law.
If there is any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA will prevail to the extent of that conflict.
If the Parties execute SCCs or another transfer mechanism that conflicts with this DPA, the SCCs or that transfer mechanism will prevail to the extent legally required for the relevant transfer.
This DPA will be governed by the governing law and jurisdiction provisions of the Agreement, unless the SCCs or another mandatory transfer mechanism require otherwise for a specific claim or interpretation issue.
Provision of the HoneyBee platform and related services, including hosting, storage, workflow execution, support, implementation, migration, integration, mobile functionality, analytics, AI-assisted features where enabled, and related operational services.
For the duration of the Agreement and any agreed post-termination retention, export, backup, or legal-hold period.
Collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, deletion, or destruction of Personal Data as necessary to provide the Services.
To provide the Services to Customer, including account administration, hosting, workflow management, project and finance processing, support, implementation, security, backups, exports, and any agreed integrations or private deployments.
May include, depending on Customer's use of the Services:
May include, depending on Customer's use of the Services:
The Services are not intended by default for special category or highly sensitive Personal Data unless expressly agreed by the Parties and supported by appropriate controls. If Customer chooses to upload such data, Customer is responsible for ensuring a lawful basis and giving documented instructions.
Continuous or as initiated by Customer users, systems, integrations, or support interactions during the term of the Agreement.
As stated in the Agreement, implementation documents, infrastructure documentation, Subprocessor documentation, or transfer documentation applicable to the relevant Service deployment.
HoneyBee will maintain technical and organisational measures appropriate to the risk, which may include:
Where HoneyBee relies on third-party data centres or infrastructure providers, physical security controls are managed by those providers under their own certified or documented controls, as applicable.
HoneyBee may update these measures over time so long as the overall level of protection is not materially reduced.
Use this annex only where the Parties need Standard Contractual Clauses for a restricted transfer. If required, complete a separate SCC attachment with:
The modernised 2021 SCCs (Modules 2 and 3) can also cover the Article 28 processor-contract requirements. Where the relevant SCC module already includes those requirements, the Parties may rely on that SCC module rather than duplicating equivalent provisions in this DPA.
Questions about this DPA?
Contact us at privacy@ourhoneybee.eu or info@ourhoneybee.eu
Also see: Privacy Policy · Terms of Service