This Partner DPA forms part of the Partner Agreement between the Parties and governs the Partner’s processing of personal data made available by IDrive® in connection with the Partner Program or BMR Partner Program.
It sets out each Party’s respective obligations under applicable data-protection laws.
As part of the Program, IDrive® may provide Partner with limited customer account information (for example, names, email addresses, account identifiers, and usage statistics) solely for referral tracking, reporting, commission administration, and limited account management.
BMR Partners may receive administrative access to BMR appliances and related accounts strictly to configure, monitor, or support those appliances on behalf of IDrive® and/or the End User.
The Parties acknowledge that IDrive® acts as Data Controller and Partner acts as Data Processor when processing such data.
2. Partner Obligations as Processor
The Partner shall:
1. Process under instructions – only on documented instructions from IDrive.
2. Confidentiality – ensure authorized personnel are bound by confidentiality obligations.
3. Security Measures – implement appropriate technical and organizational measures in line with GDPR Art. 32.
4. Sub-processing – not engage any sub-processor without IDrive’s prior written consent and a written contract imposing equivalent protections.
5. Data-subject rights – promptly notify IDrive® of any request and assist IDrive in fulfilling it.
6. Breach notification – notify IDrive® without undue delay (no later than 24 hours) after becoming aware of a personal-data breach.
7. Government requests – notify IDrive® of any legally binding disclosure request unless prohibited by law and seek to limit the disclosure.
8. Deletion/Return – upon termination or on request, delete or return all data unless retention is required by law.
9. Use restrictions – not use personal data for marketing, resale, profiling, or any other unauthorized purpose.
10. BMR access – when applicable, never access end-user file content except as strictly necessary to provide authorized support or administration.
3. IDrive's Role
IDrive® remains the Controller of customer personal data.
No rights or licenses in such data are granted to the Partner.
IDrive® may revoke or restrict access at any time without affecting earned commissions.
4. Compliance with Laws
Partner must comply with all applicable data-protection laws, including the GDPR, UK GDPR, Data Protection Act 2018, CCPA/CPRA, and similar laws.
CCPA/CPRA Service-Provider Terms
Partner will not sell or share personal information.
Partner will not retain, use, or disclose personal information for any purpose other than those authorized by IDrive®.
Partner certifies that it understands and will comply with these obligations and will promptly notify IDrive® if it cannot do so.
IDrive® may take reasonable steps to ensure Partner’s processing is consistent with IDrive's CPRA obligations.
Partner shall promptly notify IDrive® if it becomes subject to any investigation, complaint, or order relating to data protection.
5. Liability and Indemnification
The Partner is responsible for any misuse of personal data or unauthorized actions.
For BMR administrative access, Partner is specifically liable for misuse of administrative rights or unauthorized handling of End-User data.
Partner shall indemnify and hold harmless IDrive® and its affiliates from any claims, damages, penalties, or liabilities (including regulatory fines and reasonable attorney fees) arising from Partner’s breach of this DPA or applicable data-protection laws.
6. Audit Rights
Upon thirty (30) days’ written notice, IDrive® may audit Partner’s compliance once per year, or more frequently if required by law or after a data incident.
Partner shall co-operate and make relevant records available.
Audits will ordinarily be limited to documentation and remote assessments; on-site reviews may be conducted only if necessary to verify compliance.
7. International Transfers
If Partner processes personal data outside the jurisdiction where it was originally collected, Partner must implement appropriate transfer safeguards (e.g., Standard Contractual Clauses and supplementary measures) ensuring an adequate level of protection.
Partner acknowledges that IDrive® relies on the EU–U.S. Data Privacy Framework, its UK Extension, the Swiss–U.S. Data Privacy Framework, and the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914 of 4 June 2021 as transfer mechanisms.
The Standard Contractual Clauses (including all applicable modules identified below) are incorporated into this Partner DPA by reference as if set out in full. Annex A of this DPA constitutes Annex I and II to those Clauses, setting out the parties, data categories, and technical and organizational measures.
The following SCC modules apply as appropriate: – Module 1 (Controller-to-Controller) for limited account or administrative data processed by IDrive as an independent controller; and
– Module 3 (Processor-to-Processor) for data processed by Partner on behalf of IDrive.
For the UK, the International Data Transfer Addendum (IDTA) issued by the UK ICO is incorporated by reference and applies to transfers from the United Kingdom.
For Switzerland, the SCCs apply as adapted by the Swiss FDPIC.
IDrive® and Partner will complete the relevant Annex details as set out in Annex A of this DPA.
8. Term and Termination
This DPA remains in effect for as long as the Partner processes personal data on behalf of IDrive®.
Upon termination, Partner must immediately cease processing and delete or return all personal data pursuant to Section 2(8).
9. Governing Law
This DPA is governed by the laws of the State of California, USA, unless applicable data-protection law requires otherwise.
For EU/UK/Swiss SCC interpretation, the respective laws of the exporting jurisdiction apply.
10. Order of Precedence
In case of conflict, the order of precedence is:
(i) the Standard Contractual Clauses; (ii) this Partner DPA; (iii) the Partner Agreement.
Annex A – Details of Processing
Subject matter: Processing of customer account-related information and, for BMR Partners, limited administrative access to appliances for support and management.
Nature and purpose: Referral tracking, reporting, commission administration, account management, and BMR support.
Duration: For the term of the Partner Agreement or until deletion/return of data.
Types of personal data: Names, email addresses, account identifiers, usage data, appliance IDs, endpoint reports (no file content).
Categories of data subjects: End users and customers who sign up via Partner.