Data Processing Addendum.

Last updated on June 1, 2023.

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the Agreement and sets out the terms that apply when Personal Data is Processed by SIS under the Agreement.

  1. Definitions

    1. For the purposes of this DPA, the following terms shall have meanings set forth below and any other capitalized terms used but not defined in this DPA have the same meanings set forth in the Agreement:

      1. Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data pursuant to the GDPR.

      2. Data Subject” means the identified or identifiable natural person subject to the Processing.

      3. Data Protection Legislation” means all laws and regulations applicable to the Processing of Personal Data under this DPA, in each case as amended from time to time, including the GDPR and the UK GDPR.

      4. EEA” means the European Economic Area.

      5. GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and/or the UK General Data Protection Regulation (the “UK GDPR”), and any EU Member State and/or UK laws made under or pursuant to the GDPR and/or UK GDPR.

      6. Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, and includes any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

      7. Processor” means an entity which Processes Personal Data on behalf of the Controller.

      8. Personal Data” means any information relating to an identified or identifiable natural person and that allows that person to be identified.

      9. Security Incident” means confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

      10. “Sensitive Data” means (a) social security number, (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), (c) financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) criminal history; (f) without limiting the foregoing any additional information that falls within the definition of “special categories of data” under EU Data Protection Legislation or any other applicable law relating to privacy and data protection.

      11. Standard Contractual Clauses” means the Standard Contractual Clauses approved by (i) European Commission Decision (EU) 2021/915 or any subsequent version thereof released by the European Commission (which will automatically apply) or (ii) by the UK Secretary of State or Information Commissioner (as applicable).

  2. Relationship with Agreement

    1. Except as amended by this DPA, the Agreement will remain in full force and effect.

    2. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.

    3. Any claims brought under this DPA shall be subject to the terms of, including but not limited to, the exclusions and limitations set forth in the Agreement.

  3. Aggregate Information

    Notwithstanding anything in this DPA, SIS will have the right to collect, extract, compile, synthesize and analyze Aggregate Information (as defined in the Agreement) resulting from Your use or operation of the Products. To the extent any Aggregate Information is collected or generated by SIS, such data may be used by SIS for any lawful business purpose without a duty of accounting to You. For the avoidance of doubt, this DPA will not apply to Aggregate Information.

  4. General Data Protection Obligations

  5. Roles and Responsibilities

    1. Parties’ Roles. With respect to the Processing of Personal Data, You, as the Controller or Processor (as applicable) appoint SIS as a Processor to Process the Personal Data described in Annex A on Your behalf, and You and SIS shall comply with all applicable Data Protection Legislation.

    2. Purpose Limitation. SIS shall Process the Personal Data for the purposes described in Annex A and only in accordance with Your lawful, written and duly documented instructions, except where otherwise required by Applicable Law. The Agreement and this DPA sets out Your complete instructions to SIS in relation to the Processing of the Personal Data and any Processing required outside of the scope of these instructions will require prior written agreement between the parties. You acknowledge that SIS shall have a right to Process Personal Data in order to provide the Products to You. SIS agrees to hold and use all Personal Data in confidence and not to disclose Personal Data to any third party, except (i) in the ordinary course of business to carry out the permitted activities under the Agreement; or (ii) as required or permitted by Applicable Law.

    3. Processing of Sensitive Data. You will not provide (or cause to be provided) any Sensitive Data to SIS unless You have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes, and the Processing of such Sensitive Data is not prohibited by law as set out in Article 9 of the GDPR. For the avoidance of doubt, this DPA will not apply to, and SIS shall have no liability with respect to, any Sensitive Data for which You have not received consent pursuant to this section 4.3.

    4. Description of Processing. A description of the nature and purposes of the Processing, the types of Personal Data, categories of Data Subjects, and the duration of the Processing are set out further in Annex A.

    5. Compliance. You shall be responsible for ensuring that:

      1. you have complied, and will continue to comply, with all Applicable Laws relating to privacy and data protection, including Data Protection Legislation, in Your use of the Products and Your own Processing of Personal Data (except as otherwise required by Applicable Law), including by providing notice and obtaining all consents and rights necessary under Data Protection Legislation for SIS to Process Personal Data; and

      2. you have, and will continue to have, the right to transfer or provide access to the Personal Data to SIS for Processing in accordance with the terms of the Agreement and this DPA.

  6. Data Security

    1. Security. SIS shall implement and maintain Personal Data in compliance with Data Protection Legislation and in accordance with the technical and organizational measures as set out in Annex B to this DPA. SIS shall protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access by implementing, for example, the encryption of Personal Data; practice of least privilege and levels of access controls; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; and the ability to restore the availability and access to Personal Data in a timely manner in the event of an incident and a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

    2. Security Exhibit. The technical and organizational security measures which SIS shall have in place are set out at Annex B to this DPA.

  7. Additional Security

    1. Confidentiality of Processing. SIS shall ensure that any person that it authorizes to Process the Personal Data shall be subject to a duty of confidentiality (whether a contractual or a statutory duty), it being specified that the access to Personal Data is limited only to the employees of SIS who need to have access to the Personal Data for the purpose of delivering the Products and who have completed a privacy training.

    2. Security Incidents. Upon becoming aware of a Security Incident where, according to the GDPR, is likely to result in a risk to the rights and freedoms of natural persons or, where there is a real risk of significant harm to the Data Subject, SIS shall notify You without undue delay (but in no event later than 72 hours) and shall provide such timely information as You may reasonably require, including to enable You to fulfil any data breach reporting obligations under Data Protection Legislation. SIS shall take appropriate and commercially reasonable steps to investigate and mitigate the effects of such a Security Incident. This section 6.2 does not apply to Security Incidents that are caused by You, including Your employees, partners, subcontractors, or agents.

  8. International Transfers

    To the extent that the Processing of Personal Data by SIS involves the export of Personal Data to a third party in a country or territory outside of the UK, EEA and/or Canada, such export shall be:

    1. to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission or UK Secretary of State (as applicable);

    2. to a third party that is a member of a compliance scheme recognized as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission or the UK Secretary of State (as applicable); or

    3. governed by the Standard Contractual Clauses, with You as exporter and SIS or a third party (as applicable) as importer. For this purpose, You appoint SIS as your agent with the authority to complete and enter into the Standard Contractual Clauses as agent for You on Your behalf; and

    4. You agree that this DPA constitutes Your written authorization for SIS and its Sub-Processors to Process Personal Data anywhere in the world where SIS or its Sub-Processors maintain data processing operations.

  9. Sub-Processing

    1. Sub-Processors. You agree that this DPA constitutes your written authorization for SIS to engage Affiliates and third party sub-processors (collectively, “Sub-Processors“) to Process the Personal Data on SIS’s behalf, including Sub-Processors currently engaged by SIS. The Sub-Processors currently engaged by SIS and authorized by You are available at: https://trust.signinenterprise.com/.

    2. Objection to Sub-Processors. SIS will notify You of the appointment of any new Sub-Processors. You may object in writing to the appointment of any additional Sub-Processors within thirty (30) calendar days after receipt of SIS’s notice. In the event that You object on reasonable grounds relating to the protection of the Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, SIS will, at its sole discretion, either not appoint such Sub-Processor, or permit You to suspend or terminate the Products in accordance with the termination provisions of the Agreement. In the event that You suspend or terminate the Products in accordance with the preceding sentence, You shall immediately pay all fees and costs then owing to SIS and all fees and costs incurred by SIS as a result of the termination.

    3. Sub-Processor obligations. Where a Sub-Processor is engaged by SIS as described in this Section 8, SIS shall:

      1. restrict the Sub-Processor’s access to Personal Data only to what is necessary to perform the subcontracted services;

      2. impose on such Sub-Processors data protection terms that protect the Personal Data to the standards no less stringent than those provided for by this DPA; and

      3. remain responsible for any breach of the DPA caused by a Sub-Processor.

  10. Cooperation

    1. Cooperation and Data Subjects’ rights. SIS shall, taking into account the nature of the Processing, provide commercially reasonable assistance to You insofar as it is possible or permissible under Data Protection Legislation, to enable You to respond to requests from a Data Subject seeking to exercise their rights under Data Protection Legislation. You will not request applicable information from SIS, such as access or correction requests, without verifying the identity of the Data Subject. In the event that such request is made directly to SIS, SIS shall, unless prohibited by law, promptly inform You of same. To the extent legally permitted, You shall be responsible for any costs arising from SIS’s provision of such assistance.

    2. Data Protection Impact Assessments. SIS shall, to the extent required by Data Protection Legislation and at Your sole expense, taking into account the nature of the Processing and the information available to SIS, provide You with commercially reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that You are required to carry out under Data Protection Legislation.

  11. Security Reports and Audits

    1. The parties acknowledge that SIS uses external auditors to comprehensively assess the adequacy of its data Processing, including the security of the systems and premises used by SIS to provide data Processing services.

    2. The parties further acknowledge that these audits:

      1. are performed at least once each year;

      2. are conducted by auditors selected by SIS, but otherwise conducted with all due and necessary independence and professionalism; and

      3. are fully documented in an audit report that affirms that SIS’s controls meet industry standards against which they are assessed (“Report”).

    3. At Your written request and at Your sole expense, SIS will provide You with a copy of the Report.

    4. SIS will further provide written responses to reasonable requests for information made by You, no more than once per year, including responses to information security and audit questionnaires that are necessary to confirm SIS’s compliance with this DPA.

    5. SIS shall permit You (or Your appointed third party auditors, which must be reasonably acceptable to SIS), at Your sole expense, to carry out an audit of SIS’s Processing of Personal Data under the Agreement following a Security Incident suffered by SIS, or upon the instruction of a data protection authority, to determine SIS’s compliance with this DPA. You must give SIS reasonable prior written notice of such intention to audit, conduct the audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to SIS’s operations. Any such audit shall be subject to SIS’s security and confidentiality terms and guidelines. Following completion of the audit, upon request, You will promptly provide SIS with a complete copy of the results of that audit. Notwithstanding the foregoing, SIS will not be required to disclose any proprietary or privileged information, including to You or any of Your auditors, agents, or vendors.

  12. Deletion / Return of Data

    1. Deletion or return of data: Upon the termination or expiration of the Agreement, SIS will delete or destroy all copies of Personal Data in its possession or control, save to the extent that: i) SIS is required by any applicable law to retain some or all of the Personal Data; (ii) SIS is reasonably required to retain some or all of the Personal Data for limited operational and compliance purposes, or (iii) Personal Data SIS has been archived on back-up systems. In all such cases, SIS shall maintain the Personal Data securely and limit processing to the purposes that prevent deletion or return of the Personal Data. You may, within 30 days of termination of expiration of the Agreement, request a copy of the Personal Data inputted into the Products by You, provided such data is in SIS’s possession or control at the time of the request, and SIS shall make available a copy of Your Personal Data.

ANNEX A


DESCRIPTION OF PROCESSING

Nature and Purposes of Processing
SIS is a provider of cloud-based Products. The data Processing will involve any such Processing that is necessary for the purposes set out in the Agreement, the DPA, or as otherwise agreed between the parties.

Categories of Data Subjects
Any categories of individuals whose data the You extract, transfer, and/or load onto the Products, which may include but is not limited to:

Usage of the Products for your business locations; or
Your past, present and prospective clients and business relationship contacts.

Categories of Data
The personal data concerns the following categories of data for the Data Subjects:

  • Data Subjects’ identification information (first and last name), contact information (which may include some or all of the Data Subject’s e-mail address, address, telephone number, fax number), and location; and

  • Any other personal data that You choose and determine to include in Your instance of the Products for Data Subjects to enter, including Sensitive Data for which You have received the explicit consent from a Data Subject to the Processing of such data for the intended purposes.

The personal data transferred to SIS for Processing is determined and controlled by You in Your sole discretion. As such, SIS has no control over the volume and sensitivity of personal data Processed through the Products by You.

Special Categories of Data (if appropriate)
SIS does not intentionally collect or Process any special categories of data in the provision of the Products.
You agree not to provide special categories of data to SIS at any time unless You have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes.

Duration of Processing
The personal data will be Processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.

ANNEX B


SECURITY MEASURES

Network Controls

  1. SIS will monitor the networks used for Processing personal data relating to issues including but not limited to through put, memory usage, response time, system load and error events.

  2. SIS will adhere to change management standards when any alterations to networks are implemented.

  3. SIS will assess network vulnerabilities on an ongoing basis and address critical vulnerabilities within SIS’s control within a reasonable time.

Application Controls

  1. SIS will maintain documentation outlining the overall application infrastructure and Process flows of personal data.

  2. SIS will perform code reviews on any and all code contributed to the applications used in Processing personal information.

  3. SIS will follow secure coding best practices in the development life cycle of its software including employing separate environments for development, QA and production.

  4. SIS will assess application vulnerabilities on an ongoing basis and address critical vulnerabilities within a reasonable time.

Data Controls

  1. SIS will employ best practices when storing any data generated from the Processing of personal data. Notwithstanding the foregoing, should a customer choose to configure an integration with a third party that is not provided by, required by, or approved by SIS, unless such integration is necessary in order to use the Products, customer and not SIS is responsible for ensuring that such a third party employs data storage and Processing best practices.

  2. SIS will use strong encryption (TLS) for all data in transit.

  3. SIS will create encrypted backups of data on an ongoing basis in the event that a data restoration is necessary.

  4. SIS will ensure all SIS employees devices that have access to sensitive information are encrypted and monitored.

Last updated: June 1, 2023

Let's talk solutions

  • This field is for validation purposes and should be left unchanged.