Data Processing Addendum
This DATA PROCESSING ADDENDUM (“Addendum”) forms part of the Master Subscription Agreement and Terms of Service (“Principal Agreement”) between: (i) Customer (“Controller”); and (ii) Prodoscore (“Processor” or “Service Provider”). This Addendum is entered into and effective as of the effective day of the Agreement.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
Agreement
1. Definitions
- 1.1 — In this Addendum, the following terms shall have the meanings set out below:
- 1.1.1 — “Anonymous Data” means information that relates to a group or category of consumers and/or individuals, from which: (i) the Controller cannot be identified as the source of the information; (ii) personally identifiable information allowing the identification of individuals is removed; and (iii) the information is not reasonably identifiable or linkable to any consumer, individual, household, or device.
- 1.1.2 — “Applicable Laws” means (a) the GDPR and (b) the CCPA;
- 1.1.3 — “Personal Data” means any Personal Data Processed by the Contracted Processor on behalf of the Controller pursuant to the Principal Agreement;
- 1.1.4 — “CCPA” means the California Consumer Privacy Act of 2018.
- 1.1.5 — “Contracted Processor” means Processor or a Subprocessor;
- 1.1.6 — “EEA” means the European Economic Area;
- 1.1.7 — “GDPR” means EU General Data Protection Regulation 2016/679 and its implementing regulations in the EEA and the United Kingdom;
- 1.1.8 — “Restricted Transfer” means a transfer of Personal Data subject to the GDPR outside of the EEA;
- 1.1.9 — “Services” means the services and other activities to be supplied to or carried out by or on behalf of Contracted Processor for Controller pursuant to the Principal Agreement;
- 1.1.10 — “Standard Contractual Clauses” means Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU);
- 1.1.11 — “Subprocessor” means any person (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Processor or Processor Affiliate to Process Personal Data on behalf of any Controller in connection with the Principal Agreement; and
- 1.1.12 — “Processor Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Processor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
- 1.1.13 — The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.
- 1.1.14 — The term “Service Provider” shall have the same meaning as in the CCPA.
2. Processing of Personal Data
- 2.1 — Processor and Processor Affiliate shall:
- 2.1.1 — comply with all Applicable Laws in the Processing of Personal Data; and
- 2.1.2 — not Process Personal Data other than on the Controller’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Processor or the relevant Processor Affiliate shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the relevant Processing of that Personal Data.
- 2.2 — The Controller shall:
- 2.2.1 — instruct Processor and each Processor Affiliate (and authorizes Processor and each Processor Affiliate to instruct each Subprocessor) to:
- 2.2.1.1 — Process Personal Data; and
- 2.2.1.2 — in particular, transfer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement.
- 2.2.1 — instruct Processor and each Processor Affiliate (and authorizes Processor and each Processor Affiliate to instruct each Subprocessor) to:
- 2.3 — Processor acknowledges that it is a Service Provider and that all Personal Data that it may receive from Controller, Controller’s employees or consultants, or otherwise acquired by virtue of the performance of services under the Principal Agreement shall be regarded by Processor as strictly confidential and held by Vendor in confidence.
- 2.4 — Processor shall not directly or indirectly sell any Personal Data, or retain, use, or disclose any Personal Data for any purpose other than for the purpose of performing services for Controller; or retain, use, or disclose any Personal Data outside the scope of this Addendum or the Principal Agreement.
- 2.5 — Processor understands the restrictions in this Section 2 and will comply with them.
- 2.6 — Processor may use Anonymous Data for its own purposes.
- 2.7 — The Controller warrants and represents that:
-
- 2.7.1.1 — it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in this section;
- 2.7.1.2 — it has all necessary rights to provide the Personal Data to the Processor for the Processing to be performed in relation to the Services;
- 2.7.1.3 — one or more lawful bases set forth in the Applicable Laws support the lawfulness of the Processing;
- 2.7.1.4 — all necessary privacy notices are provided to data subjects;
- 2.7.1.5 — any necessary data subject consents to the Processing are obtained and a record of such consents is maintained; and
- 2.7.1.6 — should such a consent be revoked by a data subject, and no other lawful basis remains to keep the data subject’s personal data, it will communicate the fact of such revocation to the Processor.
-
- 2.8 — Anonymous/Deidentified Data — With respect to anonymous and deidentified data, Prodoscore may share such data with third parties for research and analytics purposes. This data is not reasonably identifiable to any individual or Prodoscore customer.
3. Processor and Processor Affiliate Personnel
Processor and each Processor Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
- 4.1 — Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor and Processor Affiliate shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
- 4.2 — In assessing the appropriate level of security, Processor and each Processor Affiliate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
- 4.3 — The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Applicable Laws or by regulatory authorities of competent jurisdiction.
- 4.4 — Where an amendment to the Principal Agreement is necessary in order to execute a Controller instruction to the Processor to improve security measures as may be required by changes in Applicable Laws from time to time, the Parties shall negotiate an amendment to the Principal Agreement in good faith.
5. Restricted Transfers
- 5.1 — Processor shall not export, transfer, store, remotely access Personal Data, or permit any of the latter in/from a country which is not part of the European Economic Area and does not benefit from an adequacy recognition decision of the European Commission pursuant to Article 45 of the GDPR, unless such export, transfer, storage, or remote access is secured through the provision of appropriate guarantees, which may consist of: (i) Privacy Shield certification; (ii) applicable standard data protection clauses pursuant to Article 46.2 c) or d) of the GDPR; (iii) binding corporate rules pursuant to Article 46.2 b) of the GDPR; (iv) derogations for specific situations under Article 49 of the GDPR; or, (v) any other instrument recognized by the GDPR and approved by the European Commission or a Supervisory Authority.
- 5.2 — To the extent no adequacy decision or other appropriate guarantees apply, the Parties hereby agree to and incorporate the Standard Contractual Clauses into this Addendum. Controller shall be the Data Exporter and Processor shall be the Data Importer. Appendix 1 and 2 to this Addendum shall be Appendix 1 and 2 to the Standard Contractual Clauses.
6. Subprocessing
- 6.1 — Controller authorizes Processor and each Processor Affiliate to appoint (and permit each Subprocessor appointed in accordance with this section to appoint) Subprocessors in accordance with this section and any restrictions in the Principal Agreement.
- 6.2 — Processor and each Processor Affiliate may continue to use those Subprocessors already engaged by Processor or any Processor Affiliate as of the date of this Addendum.
- 6.3 — Processor shall give Controller a list of any new Subprocessors engaged after the date of this Addendum, upon reasonable request from the Controller.
- 6.4 — With respect to each Subprocessor, Processor or the Processor Affiliate shall:
- 6.4.1 — ensure that the arrangement between Processor or the Processor Affiliate, on the one hand, and the Subprocessor, on the other hand, is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Addendum; and
- 6.4.2 — if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses or other approved transfer mechanism under the GDPR (e.g. Privacy Shield or Binding Corporate Clauses) are at all relevant times incorporated into the agreement between Processor or the Processor Affiliate, on the one hand, and the Subprocessor, on the other hand.
7. Data Subject Rights
- 7.1 — Taking into account the nature of the Processing, Processor and each Processor Affiliate shall assist each Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations to respond to requests to exercise Data Subject rights under the Applicable Laws.
- 7.2 — Processor shall:
- 7.2.1 — notify Controller if Processor or a Processor Affiliate receives a request from a Data Subject under any Applicable Laws in respect of Personal Data; and,
- 7.2.2 — ensure that the Contracted Processor does not respond to that request except as required by Applicable Laws to which the Contracted Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Controller of that legal requirement before the Contracted Processor responds to the request.
- 7.3 — Controller shall:
- 7.3.1 — be responsible for responding to a request from a Data Subject as required under any Applicable Laws in respect of Personal Data.
8. Assistance to Data Controller
Taking into account the nature of processing and the information available to the Processor, the Processor shall assist the Controller, at Controller’s expense, in Data Protection Impact Assessments, and with prior consultations with supervisory authorities. Controller and Processor shall work together in good faith to determine a reasonable fee for Processor’s assistance prior to the initiation of this assistance.
9. Personal Data Breach
- 9.1 — Processor shall notify Controller without undue delay upon Processor or Subprocessor becoming aware of a Personal Data Breach affecting Personal Data.
10. Audits
At the reasonable request of the Controller, the Processor shall demonstrate the technical and organizational measures it has taken pursuant to this Addendum and shall allow the Controller to audit and test such measures.
- 10.1 — Controller undertaking an audit shall give Processor or the relevant Processor Affiliate reasonable notice of any audit or inspection to be conducted under this section and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing any damage, injury or disruption to the Contracted Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
- 10.2 — A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
- 10.2.1 — to any individual unless he or she produces reasonable evidence of identity and authority;
- 10.2.2 — outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and the Controller undertaking an audit has given notice to Processor or the relevant Processor Affiliate that this is the case before attendance outside those hours begins; or
- 10.2.3 — for the purposes of more than once audit or inspection in any calendar year, except for any additional audits or inspections which the controller is required or requested to carry out by Applicable Laws or a regulatory authority of competent jurisdiction, where the Controller has identified the relevant requirement or request in its notice to Processor or the relevant Processor Affiliate of the audit or inspection.
- 10.3 — Unless otherwise required by Applicable Laws or a regulatory authority of competent jurisdiction, Contracted Processor shall fulfill the audit requirement in this Section by providing Controller with a copy of its most recent Soc 2 audit report or its equivalent, pursuant to a non-disclosure agreement, applicable to its processes, systems and networks involved in performance of the Agreement.
11. Deletion or Return of Personal Data
- 11.1 — Within 30 days of the termination date, Controller may by written notice require Processor and each Processor Affiliate to (a) return a complete copy of all Personal Data to Controller and/or (b) delete and procure the deletion of all other copies of Personal Data Processed by any Contracted Processor. Processor and each Processor Affiliate shall comply with any such written request within 90 days of the written request.
- 11.2 — Each Contracted Processor may retain Personal Data to the extent required by Applicable Laws and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws.
12. Governing Law and Jurisdiction
- 12.1 — the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement; and
- 12.2 — this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
Appendix 1
Data Processing Information
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Data exporter
The data exporter is:
- Customer
Data importer
The data importer is:
- Prodoscore
Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
- Customer’s employees, agents, and business representatives
Categories of data
The personal data transferred concern the following categories of data:
- First and last name
- Ordinary contact information (including, but not limited to telephone number, e-mail)
- Title
- Position
- Employer
- Professional information (career, company, email, phone, physical business address)
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding interactions with email client, internet browser, or other computer applications
- Audio, electronic, visual, or similar information, such as screenshots and call transcriptions
- Inferences and analytics drawn from the above categories concerning the employee’s productivity and behavior
Processing operations
The personal data transferred will be subject to the following basic processing activities:
- For the provision of the Services as specified in the Principal Agreement.
Appendix 2
Security Measures
SOC 2 Type 2 attestation report, including but not limited to the following security controls:
1. Access control to premises and facilities
Measures are taken to prevent unauthorized physical access to premises and facilities holding personal data.
2. Access control to systems
Measures are taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:
-
- Password procedures (incl. special characters, minimum length, forced change of password)
- No access for guest users or anonymous accounts
3. Access control to data
Measures are taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorised input, reading, copying, removal modification or disclosure of data.
4. Encryption
Encryption at rest (AES 256) and in transit (BoringSSL) is implemented across the cloud infrastructure.
5. Incident response plan
Development of a written incident response plan.
The Customer remains responsible for the following security measures:
- Protection of Customer’s user credentials
- Appropriate technical and organizational measures to protect the confidentiality, integrity, and availability of Customer’s networks, endpoints and browsers used to access the Services