This Data Processing Addendum (the “DPA”) forms part of, and is subject to, the agreement or online terms between BenchWise, Inc. (“BenchWise”, “we”, “us”, or “Processor”) and the customer entity that has executed such agreement or accepted such online terms (“Customer” or “Controller”) governing the provision of BenchWise services (the “Agreement”). Capitalized terms not defined in this DPA have the meanings given in the Agreement.
1. Scope and roles
1.1. This DPA applies to BenchWise’s Processing of Personal Data strictly for the purpose of providing the Services to Customer under the Agreement. For such Processing, Customer is the Controller and BenchWise is the Processor.
1.2. Customer instructs BenchWise to Process Personal Data as reasonably necessary to provide the Services, consistent with the Agreement and this DPA. BenchWise will not “sell” or “share” Personal Data (as defined by applicable law) or otherwise Process Personal Data for purposes other than providing the Services or as required by law.
2. Definitions
“Personal Data”, “Processing/Process”, “Controller”, “Processor”, “Data Subject”, “Supervisory Authority” and other terms not defined herein have the meanings given in applicable Data Protection Laws.
3. Compliance and Customer responsibilities
3.1. Customer is responsible for the accuracy, quality, and lawfulness of Personal Data and for the means by which Customer acquired Personal Data, including obtaining any required notices and consents from Data Subjects.
3.2. Customer will not provide, and BenchWise does not need, special categories of data (e.g., highly sensitive financial, health, or biometric data) unless expressly agreed in writing.
4. Confidentiality and security
4.1. BenchWise will ensure that personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations.
4.2. BenchWise implements and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Measures include encryption in transit and at rest, access controls and role-based permissions, least-privilege access, audit logging of key administrative actions, and regular backups.
5. Subprocessors
5.1. Customer authorizes BenchWise to engage Subprocessors to support the provision of the Services. A current list of Subprocessors is maintained at benchwise.ai/subprocessors and may be updated from time to time.
5.2. BenchWise will impose data protection obligations on Subprocessors that provide at least the same level of protection for Personal Data as required by this DPA and remains responsible for Subprocessors’ performance.
5.3. BenchWise will provide prior notice of new Subprocessors via the page above and, where Customer has provided a suitable email address, via email notification. Customer may object on reasonable grounds relating to data protection by providing written notice within ten (10) days of the update. If the parties cannot resolve the objection, Customer’s sole and exclusive remedy is to suspend or terminate the affected Services (without penalty) and receive a pro‑rated refund of prepaid fees for the terminated portion.
6. Data subject requests and assistance
6.1. Taking into account the nature of the Processing, BenchWise will provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligations to respond to requests to exercise Data Subjects’ rights under applicable Data Protection Laws.
7. Security incidents
7.1. BenchWise will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. Such notification may be supplemented as information becomes available and will include details reasonably required for Customer to comply with its obligations.
8. Audits and information
8.1. BenchWise will make available to Customer information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by Customer or an independent auditor mandated by Customer, subject to reasonable advance notice, confidentiality obligations, and limits to one audit per 12‑month period, unless required by a Supervisory Authority or in response to a material Personal Data Breach.
9. Return and deletion
9.1. Upon termination or expiration of the Services, BenchWise will, upon Customer request, delete or return all Personal Data in its possession or control, unless retention is required by applicable law. Deletion will be performed within a commercially reasonable period in accordance with BenchWise’s data retention practices.
10. International transfers
10.1. Where BenchWise’s Processing involves a transfer of Personal Data from the EEA/UK/Switzerland to a country not recognized as providing an adequate level of protection, the parties agree that the appropriate Standard Contractual Clauses, including applicable UK addenda, will apply and are hereby incorporated by reference, with BenchWise acting as the data importer and Customer as the data exporter.
11. Liability
11.1. The aggregate liability of each party and its affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. In no event will BenchWise’s aggregate liability arising out of or related to this DPA exceed the limitations agreed in the Agreement.
12. Precedence
12.1. In the event of a conflict between this DPA and the Agreement, this DPA will prevail with respect to the subject matter herein, unless the Agreement expressly states otherwise.
13. Contact
For questions about this DPA or BenchWise’s data protection practices, contact:
- Email: dpo@benchwise.ai