This Data Processing Addendum ("DPA") is incorporated into and forms a part of the above agreement (the "Agreement") between Customer (as hereinafter defined) and Company (as hereinafter defined). This DPA comprises this cover page and the following Annexes, which are incorporated by reference:
Annex A – Data Processing Terms and Conditions
Annex B – Technical and Organizational Measures
Annex C – Data Processing Particulars
Annex D – Standard Contractual Clauses
ANNEX A
Data Processing Terms & Conditions
THE PARTIES AGREE:
- DEFINITIONS
In this DPA, unless the context otherwise requires, the following definitions shall apply. All other capitalized terms should have the meaning ascribed by the Data Protection Laws (as hereinafter defined):
- "Adequate Jurisdiction" means a country or jurisdiction that is found by the competent authority of any jurisdiction to ensure an adequate level of data protection within the meaning of the Data Protection Laws and therefore does not require Standard Contractual Clauses.
- "Controller" means "controller," "business," and similar terms, as such terms are defined by Data Protection Laws, as well as the party which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
- "Data Protection Laws" means any applicable laws regarding the Processing of Personal Data, including but not limited to (i) the European Union’s Regulation ("EU") 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"), (ii) the United Kingdom’s ("UK") GDPR and the Data Protection Act of 2018, (iii) Switzerland’s Federal Act on Data Protection of June 19, 1992, the Ordinance to the Federal Act on Data Protection, and (v) the California Consumer Privacy Act of 2018, including the California Privacy Rights Act of 2020 (CCPA); and where applicable the guidance and codes of practice issued by the data protection authorities or others in connection with such laws, all as amended from time to time.
- "Data Subject" means "data subject", "person", and similar terms, as such terms are defined by Data Protection Laws, as well as any individual whose Personal Data will be Processed in the context of the Agreement, including inter alia Customer’s customers and the employees and agents of Customer and/or of its customers.
- "Customer" means Customer Co. and any of its affiliate entities directly or indirectly controlled by Customer Co. A list of all Customer entities will be provided to Company upon Company’s written request to Customer.
- "Personal Data" means data that could reasonably identify, directly or indirectly, an individual or "personal data", "personal information", "personally identifiable information," and similar terms, as such terms are defined by Data Protection Laws, and is Processed by the Company pursuant to or in connection with the Services as defined in the Agreement.
- "Personal Data Breach" means "personal data breach", "personal information security breach", and similar terms, as such terms are defined by Data Protection Laws and will also include the (i) unauthorized intrusion into, control of, access to, modification of, or use of Customer’s Personal Data or any Customer System that is used to Process Personal Data in relation to the Services; and (ii) any event that led the Company to suspect or would lead a reasonable person exercising a reasonable level of diligence and investigation to suspect that the occurrence of an unauthorized intrusion into, control of, access to, modification of, or use of Customer’s Personal Data or Customer System
- "Processing" means "any operation or set of operations which is performed on Customer’s Personal Data, whether or not by automated means, and as defined in Data Protection Laws, such as, obtaining, retrieving, structuring, using, recording, holding, storing, altering, manipulating, transmitting, disclosing, erasing or destroying Personal Data (and "Process" and "Processed" shall be construed accordingly).
- "Processor" means "processor", "service provider" (where applicable), and other similar terms, as such terms are defined by Data Protection Laws, as well as the party which processes Personal Data on behalf of the Controller.
- "Services" means all services, products, and other activities provided to Customer by the Company in connection with or related to the Agreement.
- "Standard Contractual Clauses" means, as set forth on Annex D attached hereto, (i) the standard contractual clauses adopted by the European Commission on 4 June 2021 for the transfer of Personal Data to third countries pursuant to the GDPR ("SCCs"); (ii) the International Data Transfer Agreement or as a supplement to the SCCs, the International Data Transfer Addendum, version B1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses set forth therein or any subsequent link published by the UK Information Commissioner’s Office ("UK SCC Addendum"), both as incorporated into this Agreement by reference and as supplemented in Annex D.
- "Sub-processor" means "subprocessors" and similar terms, as such terms are defined by Data Protection Laws, as well as any third party appointed by or on behalf of Company, or by or on behalf of an existing subcontractor of Company, to Process Personal Data on behalf of Customer.
- "Supervisory Authority" means the competent supervisory authority under Data Protection Laws.
- "System" means any Customer file system, computing system, database, device, equipment, server, website, application, software, storage media, network, infrastructure, networked environment or domain, or other technology or system used in connection with the Services, including, without limitation, all development, quality assurance, staging, and production environments.
- "Company" means the supplying company set forth in the Agreement.
- "Company Affiliate" means an entity that owns or controls, is owned or controlled by, or is or under common control or ownership with the Company.
- APPLICATION OF THIS DPA AND PROCESSING OF PERSONAL DATA
- General
- This DPA applies to the extent that (i) the Company or the Company Affiliate Processes Customer’s Personal Data.
- With respect to the Processing of Personal Data under this DPA, the parties acknowledge and agree that Customer is the Controller and the Company or the Company Affiliate is the Processor. .
- Each party shall comply at all times with the Data Protection Laws, this DPA, and the Standard Contractual Clauses, where applicable, (collectively, "Data Protection Duties").
- The Company shall promptly notify and co-operate with Customer if it believes that it may no longer be able to comply with any of the terms of the Data Protection Duties. In such case, the Company will, in consultation with Customer, take reasonable and appropriate steps to address and remediate such potential non-compliance, and shall not undertake any Processing that is in breach of the Data Protection Duties.
- Restrictions on the Use of Personal Data
- The Company shall Process Personal Data (i) exclusively and only in accordance with the documented instructions received from Customer, including without limitation instructions regarding the transfer of Personal Data to third countries or international data, (ii) only for the specific purpose of providing Services to Customer, and (iii) pursuant to the description of Processing, as set out in Annex C. Customer shall ensure that it received consent from all Data Subjects to process Personal Data in accordance this DPA. If the Company is required to further Process Personal Data in order to comply with the Data Protection Laws, it shall notify Customer before such Processing occurs, unless the Data Protection Laws requiring such Processing prohibits the Company from notifying Customer, in which case it shall notify Customer as soon as Data Protection Laws permits it to do so.
- Company and Company Affiliates shall not (i) sell or share Personal Data; (ii) retain, use, disclose, access, reconfigure, de-identify, or re-identify Personal Data for any purpose other than for the purpose of providing Services, including a commercial purpose other than the business purpose specified in the Agreement or as otherwise permitted by Data Protection Laws; (iii) combine Personal Data received pursuant to the Agreement with personal data received from or on behalf of another or from its own business purpose; (iv) retain, use, or disclose the Personal Data outside the direct business relationship between the Company and Customer; (v) use Personal Data to create any derivative work or product for the benefit of Company or Company Affiliates;
- Company’s personnel. The Company shall:
- Take reasonable steps to ensure the reliability of any of its employees, personnel, agents, or contractors (each a "Company Representative ") who will have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data to provide the Services;
- Ensure that Company Representatives are subject to confidentiality undertakings or professional or statutory obligations of confidentiality and are required at all times to comply with the Company’s Data Protection Duties and the instructions of Customer;
- Provide training as necessary from time to time to all Company Representatives with respect to their obligations under the Data Protection Duties to ensure awareness of and compliance with such obligations.
- Return or Deletion of Personal Data
- Upon the termination or expiration of this DPA or upon Customer’s request, Company shall promptly and in any event within 30 (thirty) days of the date of cessation of any Services involving the Processing of Personal Data or at any earlier date required by Customer, cease Processing the Personal Data; and immediately return and delete existing copies of that Personal Data, providing a certification of same within thirty (30) days.
- The Company shall delete all Personal Data using a final, secure, and complete method that will render that Personal Data permanently unrecoverable. If Company cannot for any reason return and destroy Personal Data, Company agrees to apply the terms of this DPA and guarantees the return and/or destruction of the Personal Data as requested by Customer when the legal obligation is no longer in effect.
- Communications from Data Subjects and Assistance with Compliance
- The Company shall provide Customer with reasonable and prompt cooperation and assistance as necessary to ensure Customer’s fulfilment of its obligations under the Data Protection Laws, including effectively responding to requests from Data Subjects exercising their rights under the Data Protection Laws relating to Personal Data. The Company shall, upon Customer’s request or as required by the Data Protection Duties, reasonably assist and cooperate with Customer in the event of an inquiry, investigation, request by, or reporting obligations to, any Supervisory Authority or any other authority in relation to Personal Data Processed in connection with this DPA.
- Engaging Third Party Sub-processors
- Customer authorizes the Company to appoint Sub-Processors in accordance with this Section.
- Company shall ensure that all Sub-Processors are subject to a written agreement with terms imposes privacy, confidentiality, and data security obligations that are no less restrictive than the terms of this DPA.
- The Company shall give Customer prior written notice of any proposed Sub-Processor at least 30 (thirty) days in advance of engaging such Sub-Processor to Process Personal Data. Such notice must include full details of the Processing to be undertaken by the Sub-processor. If, within 30 (thirty) days of receipt of such notice, Customer objects in writing to the proposed appointment, the Company shall not appoint that proposed Sub-processor and Company shall not use the proposed Sub-processor to Process Personal Data until and unless reasonable steps have been taken to address the objections raised by Customer, Customer has been provided with a reasonable written explanation of the steps taken, and Customer provides its written consent to the appointment of such Sub-processor.
- In the event that the Company provides Personal Data to any Sub-processor, the Company shall not be relieved of and shall remain liable and responsible for the performance of any of its obligations under this DPA with regard to that Personal Data and shall be fully liable to Customer for any acts or omissions in breach of this DPA or the Data Protection Duties by any Sub-processor.
- The Company shall select Sub-processors with due diligence and will verify prior to engaging the Sub-processor that such Sub-processor is capable of complying with the Data Protection Duties, to the extent applicable to the Services assigned to that Sub-processor.
- INTERNATIONAL TRANSFERS OF PERSONAL DATA
- Company shall not Process Personal Data outside the country in which the Personal Data originates without prior written approval from Customer, inclusive of transfers to Sub-Processors. Notwithstanding the forgoing, Processor may, in accordance with applicable Data Protection Laws and the terms of this DPA.
- To the extent Personal Data is transferred from a jurisdiction requiring a data transfer mechanism such as the Standard Contractual Clauses to a non-Adequate Jurisdiction, the relevant Standard Contractual Clauses contained in Annex D will apply.
- In the event of any conflict between the Standard Contractual Clauses; and the terms of this DPA, the Standard Contractual Clauses, shall take precedence.
- DATA BREACH OBLIGATIONS
- Notice. The Company shall notify Customer immediately via email at CustomerGlobalDataPrivacy@Customer.com, but in no event more than twenty-four (24) hours after Company reasonably suspecting a Personal Data Breach. Company shall include any information reasonably requested by Customer.
- Notice to Other Parties. The Company shall not notify any parties other than Customer and, to the extent required by the Data Protection Laws, relevant law enforcement agencies, of any Personal Data Breach without the prior, written consent of Customer.
- Cooperation with Customer. The Company shall fully cooperate with and assist Customer in all reasonable and lawful efforts, taking into account the nature of processing and the information available to the Company, in investigating, preventing, eradicating, mitigating, rectifying, and responding to each Personal Data Breach. The foregoing shall include but not be limited to having an immediate conversation with Customer with appropriate representatives of Company.
- Costs. In addition to any other amounts owed, the Company shall be liable for all and any damages or losses suffered by or claims against Customer relating to a Personal Data Breach resulting from the Company’s or Company Affiliate’s acts or omissions that result in a breach of this DPA. The remedies set forth herein shall be in addition to any other remedies available to Customer at law or in equity.
- Termination of the DPA,
ANNEX B
Technical and Organizational Measures
The Technical and Organizational Measures to be adhered to by the Company are set forth below:
- The Company shall, taking into account the state of the art and costs of implementation, the nature, scope, context, and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, in relation to the Personal Data Processed, implement appropriate technical, physical, and organisational measures to ensure a level of security appropriate to that risk. The Company shall implement, maintain, and comply with comprehensive information and network security programs, practices, and procedures that govern the Services (collectively, "Data Security Program") that: (i) meets current industry best practice, (ii) has a data protection policy that aligns with Data Protection laws, and (iii) aligns with ISO 27000 series of standards or comparable security framework. The Company shall document its Data Security Program in written form and shall make those documents available to Customer for review upon Customer’s request. The Company shall keep its Data Security Program current and up-to-date to improve the security of the Data Security Program, but in no event render the Data Security Program less comprehensive, secure, or robust.
- The Company shall enforce strong identity and access requirements, including but not limited to:
- Strong username and password (equivalent or better than recommendation by NIST)
- Multi-factor authentication (MFA)
- Access based on need-to-know and zero-trust methodology
- Secure protocols and authentication measures
- The Company shall require the use of current industry best practice encryption for all storage and transmission of Personal Data, including industry standard encryption at rest and current TLS protocols for data in transit.
- Company shall maintain formal policies which cover monitoring, detecting, and responding to potential security threats and security incidents ("Incident Response Plan"). The Company shall have a backup and restore process tested annually with a disaster recovery test. This should demonstrate the ability to restore availability and access to Personal Data in line with criticality based restore parameters/SLAs.
- The Company shall create, protect, and retain System audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate System activity and ensure that the actions of individual System users can be uniquely traced to those users so they can be held accountable for their actions.
- The Company shall undergo annual (or more frequent) audits of Company’s Systems, facilities, policies, controls, and practices conducted by an independent internal audit department or an independent third party auditor, and that audit shall include in its scope all Systems and facilities that the Company uses to protect, secure, defend, or Process Personal Data and all of Company’s practices, controls, policies and procedures relating to the protection, security, defense, or Processing of Personal Data. The Company shall, consistent with industry practices, continuously monitor and inspect all Systems that it uses to protect, secure, defend, or Process Personal Data to identify security vulnerabilities. Company shall also have in place a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
- Company shall utilize secure software development practices such that all software produced for Customer or utilized by Customer is created, maintained, and operated in accordance with the NIST Secure Software Development Framework and/or the OWASP Secure Coding Practices. Web applications shall be regularly audited by Company to ensure they are not vulnerable to any of the security risks listed on the then-current OWASP Top Ten list and any critical or high vulnerabilities discovered shall be immediately remediated.
ANNEX C
Data Processing Particulars
This Annex C hereby incorporates by reference the Company Risk Assessment Attestation. Note that the Attestations was completed by Company prior to execution of the Agreement as the Data Processing Particulars
ANNEX D
Standard Contractual Clauses
The data importer has the data exporter’s general authorisation for the engagement of sub-Processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-Processors at least thirty (30) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-Processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
- The following provision under Clause 13(a) of Module 2 of the SCCs applies:
The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
- The following provision under Clause 17 of Module 2 of the SCCs applies:
These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of the Netherlands.
- The following provision under Clause 18(b) of Module 2 of the SCCs applies:
The parties agree that those shall be the courts of the Netherlands.
- The following are incorporated by reference into these SCCs:
- all Data Processing Particulars described in Annex C of this DPA (into Annex 1 to the Standard Contractual Clauses); and
- all Technical and Organisational measures described in Annex B of this DPA (into Annex 2 to the Standard Contractual Clauses).
- Adjustments to the SCCs for Personal Data Transfers from Applicable Data Transfer Jurisdictions
In addition to the modules selected in Section II above, with respect to transfers of Personal Data from Customer established in Applicable Data Transfer Jurisdictions to Companys in non-Adequate Jurisdictions, the Parties hereby further agree:
- Under Clause 13(a) of the SCCs:
The supervisory authority with responsibility for ensuring compliance by the data exporter with the Data Protection Laws as regards the data transfer shall act as competent supervisory authority.
- Under Clause 17 of the SCCs:
These Clauses shall be governed by the law of the Applicable Data Transfer Jurisdiction in which the data exporter is established.
- Under Clause 18(b) of the SCCs:
The Parties agree that those shall be the courts of the Applicable Data Transfer Jurisdiction.
- Any references to Member State shall mean transfers to Adequate Jurisdictions or within the Applicable Data Transfer Jurisdiction, as relevant.
- The use of the term ‘EU Member State’ in the SCCs must not be interpreted in such a way as to exclude data subjects from the possibility of suing for their rights in their place of habitual residence in accordance with Clause 18 of the SCCs; and
- References to the GDPR in the SCCs are to be understood as references to the Data Protection Laws.
- Personal Data Transfers from Switzerland
- To the extent that the data exporter transfers Personal Data related to Swiss data subjects to a Non-Adequate Jurisdiction, the Swiss Federal Act on Data Protection of 19 June 1992 ("FADP ") applies to the transfers of the Personal Data and, therefore, the following adjustments to the SCCs shall apply to ensure an adequate level of protection for the transfers of Personal Data outside Switzerland in accordance with the FADP:
- Annex I.C under Clause 13 of the SCCs:
The competent supervisory authority is the Federal Data Protection and Information Commissioner ("FDPIC");
- Clause 17 of the SCCs:
The law governing the Standard Contractual Clauses is Swiss law;
- The use of the term ‘EU Member State’ in the SCCs must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the SCCs; and
- References to the GDPR in the SCCs are to be understood as references to the FADP.
- To the extent that the data exporter transfers Personal Data related to Swiss and EEA data subjects or if the transfers of Personal Data are otherwise subject to the extraterritoriality provisions of the EU GDPR (Article 3), the FADP and the GDPR apply in parallel to the transfers of Personal Data. In this case, the Parties agree that the GDPR standard will apply to the transfers of Personal Data because the GDPR provides adequate protection and data subjects are consequently not disadvantaged as a result of the transfers. The following adjustments to the SCCs shall apply:
- Annex I.C under Clause 13 of the SCCs: The competent supervisory authorities are the FDPIC, insofar as the transfers of Personal Data are governed by the FADP, and the EEA competent supervisory authority as indicated in Annex I.C of the SCCs, insofar as the transfers of Personal Data are governed by the GDPR; and
- the use of the term ‘EU Member State’ in the SCCs must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the SCCs.
- UK SCC Addendum
To the extent Personal Data from the UK is transferred to a country outside of the UK, the UK SCC Addendum is incorporated and applies as follows:
- with respect to Table 1 of the UK SCC Addendum, the details of the data exporter and data importer are set forth in the Annex C.
- with respect to Table 2 of the UK SCC Addendum, the version of the SCCs in force at the date of execution of this Agreement applies;
- with respect to Table 3 of the UK SCC Addendum, (a) the description of the parties is set forth in Annex C, (b) the details of the processing are set forth in Annex C, and (c) the description of the technical and organisational security measures are set forth in Annex B.
- with respect to Table 4 of the UK SCC Addendum, no parties may end the UK SCC Addendum as set out in Section 19 of the UK SCC Addendum.