PREAMBLE
WHEREAS, Processor may process Personal Data on behalf of Data Controller in the course of providing the Services under the Agreement,
WHEREAS, appropriate safeguards are provided with respect to the processing of Personal Data provided by Data Controller to Processor, the parties agree to comply with the following provisions with respect to the Personal Data, each acting reasonably and in good faith, and the parties have entered into the Agreement.
NOW, THEREFORE, and in consideration of the foregoing requirements, the mutual representations and the contractual understandings set forth below, the Data Controller and the Processor agree as follows:
1. DEFINITIONS
1.1. All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement.
1.1.1. "Affiliate" means a legal entity that directly or indirectly controls, is controlled by, or is under the common controlling influence with the applicable legal entity. For purposes of this definition, "controlling influence" means direct or indirect ownership of, or influence over, more than 50% of the voting shares of the relevant legal entity.
1.1.2. "Applicable Data Protection Law" means any applicable law, regulation, regulatory guidance or requirement in any jurisdiction relating to data protection, privacy or confidentiality of Personal Data, including, without limitation, (a) the GDPR in conjunction with any implementing, enforcement and supplemental legislation.
1.1.3. "Authorized Affiliate": affiliates of Data Controller that are (a) subject to the data protection laws and regulations of the European Economic Area or its member states, the United Kingdom or Switzerland, (b) subject to data protection laws and regulations outside the European Economic Area or its member states, Switzerland or the United Kingdom (as applicable), and (c) authorized to engage Processor to process Data under this Agreement.
1.1.4. "Data Controller" means the business entity that determines the purposes and means of the processing of Personal Data. For clarification, the party referred to above as the "Data Controller" is the Data Controller under this DPA.
1.1.5. "Data Breach": a data breach that has resulted in the accidental, unauthorized or unlawful destruction, loss, alteration, disclosure of, access to, or processing of Personal Data that has been transferred, stored or otherwise processed.
1.1.6. "Data Protection Supervisory Authority": a representative or governmental officer of a governmental authority or governmental body that has the authority to enforce applicable data protection law.
1.1.7. "Data Subject": a natural person to whom Personal Data relates.
1.1.8. "GDPR": the GDPR refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation).
1.2. "Blugency": the business entity listed below:
1.2.1. Blugency LTD , 7 Bell Yard, London WC2A 2JR, UK
1.2.2. Blugency LLC, 530-B Harkle Road, STE 100, Santa Fe, NM 87505, USA
1.3. "Personal Data": Any information that directly or indirectly identifies or can be identified with, relates to, describes, is associated with, or can reasonably be linked to a natural person or a specific household. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.4. "Processing": any operation or set of operations which relates to Personal Data and is carried out by or in connection with and for the purpose of providing Services, with or without the aid of automated processes such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction in accordance with applicable data protection law.
1.5. "Processor" means a legal entity that processes Personal Data on behalf of the Data Controller. For the avoidance of doubt, the party identified as a "Processor" is a Processor for the purposes of this DPA.
1.6. "Services": the processing of Personal Data by the Processor in connection with and for the purpose of providing the Services performed by the Processor pursuant to the Agreement.
1.7. "Service Provider" means a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity organized or operated for the profit or financial benefit of its shareholders or other equity holders or members that processes Data on behalf of a Data Controller and to whom or which the data controller discloses personal data of a data subject for a commercial purpose pursuant to a written contract for processing, provided that the contract prohibits the service provider from withholding, using or disclosing the personal data for any purpose other than the specific purpose agreed to in the contract or the provision of the services or in any other manner permitted including withholding, using or disclosing the personal data for a commercial purpose other than the services specified in the contract with the data controller.
1.8. "Sub-processor" means any legal entity that processes Personal Data on behalf of the Processor.
2. PROCESSING OF PERSONAL DATA
2.1. Duties of the Parties. The Parties acknowledge and agree that in the present case the Data Controller is the Data Processor as defined in this Addendum and the Processor is the processor or service provider as defined in this Addendum for the processing of the Personal Data. The subject matter, duration, purpose of the Processing and the types of Personal Data and categories of Data Subjects processed under this DPA are further set forth in Annex 1.
2.2. Duties of the Data Controller. The Data Controller's instructions for processing Personal Data comply with data protection laws and regulations. The Data Controller shall be solely responsible for the accuracy, quality and lawfulness of the Personal Data and the means by which the Data Controller obtains and discloses the Personal Data to the Processor.
2.3. Obligations of the Processor. All Personal Data processed by Processor under this Agreement shall be Confidential Information and Processor shall process the Personal Data solely in accordance with the instructions documented in Annex 1 or as otherwise notified in writing by Data Controller. The Processor shall not sell the Personal Data processed under this DPA and shall not store, use or disclose Personal Data outside the direct business relationship between the Processor and the Data Controller. Processor shall comply with all applicable data protection law in connection with the processing of Personal Data. In the event that the Processor believes that compliance with the Data Controller's instructions will result in a breach of applicable data protection law, the Processor shall promptly notify the Data Controller in writing. The Processor shall thereupon provide the Data Controller with all necessary information demonstrating how the Processor is complying with its obligations under this DPA.
2.4. Collaboration Requirements. Processor shall assist Data Controller in: complying with applicable Data Protection Law; suspected and relevant Data Breaches, notifications to or requests from a Data Protection Authority, notifications to as well as requests from Data Subjects, and Data Controller's obligation to conduct Data Protection Impact Assessments and prior consultations with a Data Protection Authority.
3. NOTIFICATION OBLIGATIONS
3.1. Notification Obligations of the Processor. The Processor shall notify the Data Controller promptly and in writing of the following:
3.1.1. a request by a Data Subject to exercise his/her data protection rights such as the right of access, rectification, erasure, data portability, the right to object or the right to restrict his/her Personal Data;
3.1.2. a request or complaint received from the Data Controller's customers or employees;
3.1.3. a question, complaint, investigation or other inquiry from a data protection authority;
3.1.4. a request for disclosure of Personal Data that relates to the Processor's processing of Personal Data under this DPA;
3.1.5. a Personal Data breach as defined in the notification obligations under Article 7.1; and
3.1.6. If, in the course of its processing, the Personal Data becomes the subject of an investigation or seizure, an attachment order, a confiscation under bankruptcy or insolvency proceedings, or any other event or action by a third party.
3.2. The Processor shall assist the Data Controller in fulfilling its obligations to respond to requests or inquiries pursuant to Articles (3.1.1) - (3.1.6) above and the Processor shall not respond to such requests or inquiries without the prior written consent of the Data Controller, unless the Processor is required to do so by law.
4. CONFIDENTIALITY
4.1. Confidential Information. All information provided to Processor under this Agreement is confidential.
4.2. Processor's Employees. Processor shall ensure that its employees involved in the processing of Personal Data are informed of the confidentiality of the Personal Data, have received an appropriate introduction to their responsibilities and have signed written confidentiality agreements. The Processor likewise guarantees that these confidentiality obligations will continue after the termination of the respective employment relationship with such employees.
4.3. Restriction of Access. Processor warrants that access to Personal Data is restricted for employees performing services under this Agreement.
5. SUB-PROCESSORS
5.1. Appointment of Subprocessors. Data Controller acknowledges and agrees that Processor and Processor's Affiliates may engage third-party sub-processors in connection with the performance of the Services. Processor and its Affiliates shall enter into a written agreement that contains data protection obligations for each sub-processor that provide no less data protection than the obligations in this DPA, to the extent applicable to the nature of the service provided by the sub-processor. The Data Controller hereby authorizes the Processor to engage Amazon Web Services AWS to process the Personal Data in accordance with this DPA. The Data Controller shall not communicate directly with the Processor's sub-processors about the Services unless previously agreed with the Processor at the Processor's discretion.
5.2. Notification of Changes to Sub-Processors. The processor shall notify the Data Controller of any intended changes in connection with an addition or replacement of a Subprocessor by providing the Data Controller with a mechanism to sign up for notices of new Subprocessors. Intended changes related to an addition or replacement of a Subprocessor prior to the deployment of the Subprocessor will be communicated to the Data Controller by the Processor.
5.3. Right of Objection for New Subprocessors. The Data Controller may reasonably object to the use of a new Subprocessor by the Processor by promptly notifying the Processor thereof in writing within fifteen (15) Business Days of receipt of the notice from the Processor. In the event that the Data Controller objects to a new Subprocessor, then the Processor shall use reasonable efforts to provide the Data Controller with a modification to the Services that will avoid the processing of Personal Data by the rejected new Subprocessor. If it is impossible for the Processor to make such a change, then the Data Controller may terminate the applicable agreement in connection with those Services that cannot be provided by the Processor without the use of the rejected Subprocessor.
5.4. Liability for acts of sub-processors. Processor shall be liable for all acts and omissions of its Subprocessors to the same extent as if it were itself providing the services of each Subprocessor under this DPA.
6. SECURITY
6.1. Personal Data Protection. Processor shall implement appropriate technical and organizational measures to protect the security (including protection against unauthorized or unlawful processing of Personal Data and against accidental or unlawful destruction, loss, alteration or damage, unauthorized disclosure of or access to Personal Data), confidentiality, and integrity of Personal Data.
6.2. Audit Rights. The Data Controller agrees that its audit rights against the Processor shall be satisfied by the submission of current certificates, reports, and extracts from independent bodies, including but not limited to external or internal auditors, the Processor's data protection officer, IT security department, data protection or quality auditors or other mutually agreed third parties, or by an audit of the Processor's IT security or data protection. To the extent that it is not possible to comply with an audit obligation imposed by the applicable data protection laws and regulations prescribed audit requirement on such certificates, reports, or statements, the Data Controller or a person designated by the Data Controller - at the Data Controller's expense - shall have the right of audit and inspection in connection with the premises, policies, procedures and computerized systems to ensure that the Processor is in compliance with the requirements of this DPA. The Data Controller or a person designated by the Data Controller shall notify the Processor at least thirty (30) days prior to conducting its audit unless such audit is required as a result of a Data Breach involving the Processor. Audits conducted by the Data Controller or the Data Controller's designated person shall not violate the Processor's confidentiality obligations to its other customers. All audits shall be conducted during normal business hours at the Processor's place of business or other locations of the Processor where Personal Data is accessed, processed, or maintained and will not disrupt the Processor's normal business operations. Prior to the commencement of any such audit, the Processor and the Data Controller shall mutually agree on the timing, scope, and duration of the audit. The Data Controller may request an audit summary report(s) or an audit of the Processor no more than once a year.
7. DATA PROTECTION VIOLATIONS
7.1. Data Breach Notification. Processor shall notify Data Controller in writing of a suspected Data Breach promptly upon becoming aware of it. Under no circumstances shall the notification be made later than 72 hours after the Data Breach is discovered by the Processor.
7.2. Data Breach Management. Processor shall use reasonable efforts to identify the cause of the Data Breach and shall take such actions as Processor deems necessary and appropriate to remedy the cause of such Data Breach, provided that such action is within Processor's reasonable control.
8. TERMINATION
8.1. Termination. This DPA shall automatically terminate upon the later of (a) the termination or expiration of the Agreement or (b) the deletion or return of the Personal Data by Processor. Data Controller shall also have the right to terminate this DPA for cause if, in the Data Controller's sole opinion, the Processor materially or persistently breaches this DPA, which exists if the Processor fails to cure a remediable breach within ten (10) days from the date of receipt of a Data Controller Data Breach Notice requesting cure.
8.2. Return or Deletion of Data. Upon termination of this DPA, Processor shall delete or return all existing copies of Personal Data unless applicable law requires it to continue to retain the Personal Data. Upon request of the Data Controller, the Processor shall confirm compliance with these obligations in writing and delete all existing copies. In cases where local law requires the Processor to retain the Personal Data, the Processor shall protect the confidentiality, integrity, and accessibility of the Personal Data, shall not actively process it, and shall continue to comply with the terms of this DPA.
9. MECHANISMS FOR INTERNATIONAL TRANSFERS
9.1. Transfers to Third Countries. In the course of providing services under this DPA, it may be necessary for the Data Controller to transfer the Personal Data from the European Union, the European Economic Area or its member states, Switzerland or the United Kingdom to a processor of a country that does not have an adequacy decision of the European Commission and is not located in the European Economic Area, in particular, the USA.
9.2. With respect to personal data subject to the GDPR (i) the Processor shall be the 9.2.1. "Data Importer" and the Data Controller the "Data Exporter"; (ii) the terms of Module 2 shall apply if the Data Controller is a Data Controller under this DPA and the Processor is a Data Processor under this DPA; (iii) the optional liaison clause in Clause 7 shall be deleted; (iv) option 2 of clause 9 of Module 2 is applicable and the list of sub-processors and the deadline for notifying changes is as agreed in Article 5 of this DPA; (v) the optional language in clause 11 is deleted; (vi) option 1 in clause 17 applies and the standard contractual clauses are governed by the law of the
9.2.2. Member State in which the Processor is established; (vii) disputes referred to in Clause 18(b) shall be resolved in the courts of the Member State in which the Data Controller is established; (viii) Annex I and Annex II shall each be deemed to be complete with the information referred to in Annex 1 to this DPA; and (ix) to the extent of any conflict, the Standard Contractual Clauses shall prevail if and to the extent that the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA). For this Article, the Standard Contractual Clauses from the European Commission's Implementing Decision (EU) 2021/914 are incorporated by reference into this document and can be found here: Standard contractual clauses for transfers of personal data to third countries | EU Commission (europa.eu).
9.2.3. With respect to Personal Data subject to UK data protection law, the International Data Transfer Agreement ("IDTA") shall apply with the following modifications: (i) the contact information for the parties to the Agreement shall also be the contact information for the IDTA;
9.2.4. (ii) the Data Controller is the Data Exporter and the Processor is the Data Importer; (iii) the laws to which the IDTA is subject and the jurisdiction in which legal claims may be brought are those of England and Wales; (iv) the United Kingdom's General Data Protection Regulation ("GDPR") does not apply to the processing of the Data Importer's Transferred Data; (v) the Parties do not handle the IDTA's additional security and commercial clauses; and (vi) the information contained in this DPA and Annex 1 may be used for Tables 1-4. For this Article, the Information Commissioner's Office standard contractual clauses are incorporated by reference in this document and can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data- protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.
9.3. With respect to Personal Data subject to the Swiss DPA, the standard contractual clauses referenced in Article 9.1.1 shall apply with the following modifications (i) references to "Regulation (EU) 2016/679" shall be construed as references to the Swiss DPA; (ii) references to "EU law", "Union law" and the "law of the Member States" shall be construed as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" shall be replaced with the "Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland".
9.4. Alternative Data Transfer Mechanisms. The Parties recognize that laws, rules and regulations relating to international data transfers are rapidly evolving. In the event that Ordering Officer uses another, mechanism that complies with applicable laws, rules or regulations governing transfers of Personal Data (each to be individually referred to as an "Alternative Data Transfer Mechanism"), the Parties agree to cooperate jointly in good faith to implement any amendments to this Agreement that may be required for an Alternative Data Transfer Mechanism.
10. OTHER PROVISIONS
10.1. Amendments. This DPA shall not be modified or amended, nor shall any or all of its provisions be deemed waived or otherwise changed, except by written agreement duly executed by the authorized representatives of both Parties.
10.2. Governing Law. This DPA shall be governed by the applicable law specified in this Agreement.
Annex 1: Description of data processing
APPENDIX 1
Description of data processing
Blugency LLC
530-B Harkle Road, STE 100,
Santa Fe, NM 87505, USA
and
Blugency LTD
7 Bell Yard,
London WC2A 2JR, UK
Data Processing Frequency:
As specified in the agreement.
Duration of Data Processing:
As specified in the agreement.
Scope, nature and purpose of data processing
As indicated in the agreement.
Data subjects
The processing of personal data may relate to the following categories of data subjects: Customers, prospects, employees, suppliers, sales representatives, contacts, contractors (including temporary employees), volunteers, temporary and casual workers, freelancers, agents, consultants and other experts and their relatives, beneficiaries and emergency contacts, employees, temporary workers and customers, complainants, correspondents and questioners, consultants, and other experts, employees or contacts of the Data Exporter's prospects, customers, business partners and distributors, business partners and distributors of the Data Exporter (who are natural persons), and users of the Data Exporter authorized by the Data Exporter to use the Software and Related Services.
Data categories
The personal data processed may concern the following categories of data:
Customer data uploaded into the services offered under the Customer Services and Accounts.
Technical and organizational measures
The following describes the technical and organizational security measures implemented by the Processor:
Security awareness training.
The Processor shall be trained in the area of security awareness. This includes mandatory security training on the handling and security of confidential and sensitive information such as personal data, account data and health data, consistent with applicable law, and regular security communications and security courses focused on the end user.
Security Policies and Procedures
The Processor has information security, user, and management policies that prescribe the actions of employees and contractors regarding the appropriate use, access, and storage of confidential and sensitive information, restrict employees of the Processor from accessing confidential and sensitive information they need to access to perform their jobs, prevent terminated employees from accessing the Processor's information after termination, and impose disciplinary action for failure to comply with these policies. System access to Processor resources will be denied unless access is specifically assessed and granted. To the extent permitted by law, the Processor will conduct background checks on its employees at the time of hire.
Physical and environmental access controls.
The Processor limits physical access to its information systems and facilities through the use of physical controls (e.g., access PIN) that provide reasonable assurance that access to its data centers is limited to authorized individuals and uses camera and video surveillance systems at critical internal and external entry points. The Processor uses air temperature and humidity controls for its data centers and protects them from loss due to power failure.
Logical access control.
The processor uses logging and monitoring technology to detect and prevent unauthorized access attempts to its networks and production systems. The processor's monitoring includes a review of changes that affect authentication, authorization, and auditing of systems, and it handles privileged access to its production systems.
Encryption Controls
The Processor applies business-appropriate encryption controls to all of our products. The Processor evaluates and applies in-transit and at-rest encryption while handling industry best practices for ciphers. The best practices are applied to the lifecycle management of encryption keys, including their generation, storage, access control, and rotation.
Vulnerability Management
The Processor performs vulnerability scans on a regular basis and remediates discovered vulnerabilities according to their risk. The Processor's products are also subject to regular vulnerability and penetration testing.
Disaster recovery and data backup controls
The Processor shall perform regular backups of production file systems and databases on an established schedule and maintain a formal disaster recovery plan for the cloud data center, including regular testing.
Cyber Incident Response Plan
The Processor uses an Incident Response Plan to manage and minimize the impact of unplanned cyber events that include procedures to follow in the event of an actual or potential security breach including the following: an internal incident response team with an incident commander, investigative team that conducts root cause analysis and identifies affected parties, internal reporting and notification procedures, documentation of responsive actions and remediation plans, and a post-incident review of events.
Storage and transmission security
The Processor shall apply technical security measures to protect against unauthorized access to its data transmitted or stored over a public electronic communications network.
Secure Disposal
The Processor shall apply policies and procedures for the disposal of tangible and intangible assets containing Processor Data so that such data cannot be read or reconstructed.
Risk identification and assessment
The Processor uses a risk assessment program to assist in reasonably identifying foreseeable internal and external risks to its information assets and determines whether the controls, policies, and procedures in place are adequate to address the identified risks.
Merchants and Service Providers
Third party vendors or distributors (collectively referred to as "Suppliers") with access to the Processor's confidential information are subject to risk assessments to evaluate the sensitivity of the Processor's disclosed information. Suppliers are expected to comply with all relevant contractual terms and conditions pertaining to the security of Processor's data and all applicable Processor policies and procedures. Where appropriate, the Processor shall periodically require its Suppliers to review their security posture to ensure compliance.