Data Processing Addendum.
Last updated on Oct 18, 2022.
DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “DPA”) is made as of date set forth in the Agreement. This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data is Processed by Sign In Enterprise under the Agreement.
-
Definitions
- For the purposes of this DPA, the following terms shall have their respective meanings set forth below and other capitalized terms used but not defined in this DPA have the same meanings as set forth in the Agreement:
- “Agreement” means the legal agreement entered into between Sign In Enterprise Inc. and You, to which this DPA is attached or incorporated by reference, and includes the Terms and Conditions, as applicable, between the parties, in each case providing for the provision by SIE to You of the Services described therein.
- “Data Subject” means the identified or identifiable natural person subject to the Processing.
- “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
- “Data Protection Legislation” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”)”), as well as the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), the Act respecting the protection of personal information in the private sector (Québec) (the “Private Sector Act”), the Personal Information Protection Act of Alberta (the “PIPA AB”) and the Personal Information Protection Act of British-Columbia (the “PIPA BC”) (as amended, replaced or superseded).
- “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data pursuant to the GDPR.
- “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, and includes any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” means an entity which Processes Personal Data on behalf of the Controller.
- “Personal Data” means any information relating to an identified or identifiable natural person and that allows that person to be identified.
- “Security Incident” means confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- “Sensitive Data” means (a) social security number, (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), (c) financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) criminal history; (f) without limiting the foregoing any additional information that falls within the definition of “special categories of data” under EU Data Protection Legislation or any other applicable law relating to privacy and data protection.
- “Standard Contractual Clauses” means the Standard Contractual Clauses approved by European Commission Decision (EU) 2021/915 or any subsequent version thereof released by the European Commission (which will automatically apply).
- For the purposes of this DPA, the following terms shall have their respective meanings set forth below and other capitalized terms used but not defined in this DPA have the same meanings as set forth in the Agreement:
-
Relationship with Agreement
- Except as amended by this DPA, the Agreement will remain in full force and effect.
- If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
- Any claims brought under this DPA shall be subject to the terms of, including but not limited to, the exclusions and limitations set forth in the Agreement.
-
Aggregate Information
Notwithstanding anything in this DPA, Sign In Enterprise will have the right to collect, extract, compile, synthesize and analyze Aggregate Information (as defined in the Agreement) resulting from Your use or operation of the Services. To the extent any Aggregate Information is collected or generated by Sign In Enterprise, such data may be used by Sign In Enterprise for any lawful business purpose without a duty of accounting to You. For the avoidance of doubt, this DPA will not apply to Aggregate Information.
-
Roles and responsibilities
- Parties’ Roles. With respect to the Processing of Personal Data, You, as Controller or Processor (as applicable) appoint Sign In Enterprise as a Processor to Process the Personal Data described in Annex A on Your behalf, it being specified that Sign In Enterprise and You shall comply with applicable Data Protection Legislation.
- Purpose Limitation. Sign In Enterprise shall Process the Personal Data for the purposes described in Annex A and only in accordance with Your lawful, written and duly documented instructions, except where otherwise required by Applicable Law. The Agreement and this DPA sets out Your complete instructions to Sign In Enterprise in relation to the Processing of the Personal Data and any Processing required outside of the scope of these instructions will require prior written agreement between the parties. You acknowledge that Sign In Enterprise shall have a right to Process Personal Data in order to provide the Services to You, fulfill its obligations under the Agreement, and for legitimate purposes relating to the operation, support and/or use of the Services such as billing, account management, technical maintenance and support, product development, and sales and marketing. Sign In Enterprise agrees to hold and use, any and all, Personal Data in confidence and not to disclose the Personal Data to any third party (or permit any of its employees, agents or representatives to do so), except (i) in the ordinary course of business to carry out the permitted activities under the Agreement; (ii) as required or permitted by applicable law.
- Processing of Sensitive Data. You will not provide (or cause to be provided) any Sensitive Data to Sign In Enterprise, unless You have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes, and the Processing of such Sensitive Data is not prohibited by law as set out in Article 9 of the GDPR. For the avoidance of doubt, this DPA will not apply to, and Sign In Enterprise shall have no liability with respect to, any Sensitive Data for which You have not received consent pursuant to this section 4.3.
- Description of Processing. A description of the nature and purposes of the Processing, the types of Personal Data, categories of Data Subjects, and the duration of the Processing are set out further in Annex A.
- Compliance. You shall be responsible for ensuring that:
- you have complied, and will continue to comply, with all Applicable Laws relating to privacy and data protection, including Data Protection Legislation, in Your use of the Services and Your own Processing of Personal Data (except as otherwise required by Applicable Law), including by providing notice and obtaining all consents and rights necessary under Data Protection Legislation for Sign In Enterprise to Process Personal Data; and
- you have, and will continue to have, the right to transfer, or provide access to, the Personal Data to Sign In Enterprise for Processing in accordance with the terms of the Agreement and this DPA.
-
Data Security
- Security. Sign In Enterprise shall implement and maintain Personal Data in compliance with Data Protection Legislation, notably with appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access such as, for example, the encryption of Personal Data; practice of least privilege and levels of access controls; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; the ability to restore the availability and access to Personal Data in a timely manner in the event of an incident and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
- Security Exhibit. The technical and organizational security measures which Sign In Enterprise shall have in place under the Agreement are set out at Annex B to this DPA.
-
Additional security
- Confidentiality of Processing. Sign In Enterprise shall ensure that any person that it authorizes to Process the Personal Data shall be subject to a duty of confidentiality (whether a contractual or a statutory duty), it being specified that the access to Personal Data is limited only to the employees of Sign In Enterprise who need to have access to the Personal Data for the purpose of delivering the service and who have completed a privacy training.
- Security Incidents. Upon becoming aware of a Security Incident where, according to the GDPR, is likely to result in a risk to the rights and freedoms of natural persons or, where there is a real risk of significant harm to the Data Subject, Sign In Enterprise shall notify You without undue delay and shall provide such timely information as You may reasonably require, including to enable You to fulfil any data breach reporting obligations under Data Protection Legislation. Sign In Enterprise shall take appropriate and commercially reasonable steps to investigate and mitigate the effects of such a Security Incident on the Personal Data under this Agreement. This section 6.2 does not apply to Security Incidents that are caused by You, including Your employees, partners, subcontractors, or agents.
-
International Transfers
To the extent that the Processing of Personal Data by Sign In Enterprise involves the export of such Personal Data to a third party in a country or territory outside of the EEA and/or Canada, such export shall be:
- to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission;
- to a third party that is a member of a compliance scheme recognised as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission,; or
- governed by the Standard Contractual Clauses, with You as exporter and such third party as importer. For this purpose, You appoint Sign In Enterprise as your agent with the authority to complete and enter into the Standard Contractual Clauses as agent for You on Your behalf; and
- You agree that this DPA constitutes Your written authorization for Sign In Enterprise and its Sub-Processors to Process Personal Data anywhere in the world where Sign In Enterprise or its Sub-Processors maintain data Processing operations.
-
Sub-Processing
- Sub-Processors. You agree that this DPA constitutes your written authorization for SIE to engage Affiliates and third party sub-processors (collectively, “Sub-Processors”) to Process the Personal Data on Sign In Enterprise’s behalf, including Sub-Processors currently engaged by Sign In Enterprise. The Sub-Processors currently engaged by SIE and authorized by You are available at signinenterprise.com/tos/processors. Sign In Enterprise will notify you of any new Sub-Processors being appointed by updates to its webpage referenced in this Section 8.1.
- Objection to Sub-Processors. You may object in writing, stating your reasonable grounds for the objection, to the appointment of any additional Sub-Processors within five (5) calendar days after receipt of Sign In Enterprise’s notice as set out in Section 8.1 above. In the event that You object on reasonable grounds relating to the protection of the Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, SIE will, at its sole discretion, either not appoint such Sub-Processor, or permit You to suspend or terminate the Services in accordance with the termination provisions of the Agreement. In the event that You suspend or terminate the Services in accordance with the preceding sentence, You shall immediately pay all fees and costs then owing to Sign In Enterprise and all fees and costs incurred by Sign In Enterprise as a result of the termination.
- Sub-Processor obligations. Where a Sub-Processor is engaged by Sign In Enterprise as described in this Section 8, Sign In Enterprise shall:
- restrict the Sub-Processor’s access to Personal Data only to what is necessary to perform the subcontracted services;
- impose on such Sub-Processors data protection terms that protect the Personal Data to the standards no less stringent than those provided for by this DPA; and
- remain responsible for any breach of the DPA caused by a Sub-Processor.
-
Cooperation
- Cooperation and Data Subjects’ rights. Sign In Enterprise shall, taking into account the nature of the Processing, provide commercially reasonable assistance to You insofar as it is possible or permissible under Data Protection Legislation, to enable You to respond to requests from a Data Subject seeking to exercise their rights under Data Protection Legislation. You will not request applicable information from Sign In Enterprise, such as access or correction requests, without verifying the identity of the Data Subject. In the event that such request is made directly to Sign In Enterprise, Sign In Enterprise shall, unless prohibited by law, promptly inform You of the same. To the extent legally permitted, You shall be responsible for any costs arising from Sign In Enterprise’s provision of such assistance.
- Data Protection Impact Assessments. Sign In Enterprise shall, to the extent required by Data Protection Legislation and at Your sole expense, taking into account the nature of the Processing and the information available to Sign In Enterprise, provide You with commercially reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that You are required to carry out under Data Protection Legislation.
-
Security reports and audits
- The parties acknowledge that Sign In Enterprise uses external auditors to comprehensively assess the adequacy of its data Processing, including the security of the systems and premises used by Sign In Enterprise to provide data Processing services.
- The parties further acknowledge that these audits:
- are performed at least once each year;
- are conducted by auditors selected by Sign In Enterprise, but otherwise conducted with all due and necessary independence and professionalism; and
- are fully documented in an audit report that affirms that Sign In Enterprise’s controls meet industry standards against which they are assessed (“Report”).
- At Your written request and at Your sole expense, Sign In Enterprise will (on a confidential basis) provide You with a summary of the Report.
- Sign In Enterprise will further provide written responses (on a confidential basis) to reasonable requests for information made by You, no more than once per year, including responses to information security and audit questionnaires that are necessary to confirm Sign In Enterprise’s compliance with this DPA.
- Sign In Enterprise shall permit You (or Your appointed third party auditors, which must be reasonably acceptable to Sign In Enterprise), at Your sole expense, to carry out an audit of Sign In Enterprise’s Processing of Personal Data under the Agreement following a Security Incident suffered by Sign In Enterprise, or upon the instruction of a data protection authority, to determine Sign In Enterprise’s compliance with this DPA. You must give Sign In Enterprise reasonable prior written notice of such intention to audit, conduct the audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Sign In Enterprise’s operations. Any such audit shall be subject to Sign In Enterprise’s security and confidentiality terms and guidelines. Following completion of the audit, upon request, You will promptly provide Sign In Enterprise with a complete copy of the results of that audit. Notwithstanding the foregoing, Sign In Enterprise will not be required to disclose any proprietary or privileged information, including to You or any of Your auditors, agents, or vendors.
-
Deletion / return of data
- Deletion or return of data. Upon the termination or expiration of the Agreement, Sign In Enterprise will delete or destroy all copies of Personal Data in its possession or control, save to the extent that: i) SIE is required by any applicable law to retain some or all of the Personal Data; (ii) SIE is reasonably required to retain some or all of the Personal Data for limited operational and compliance purposes, or (iii) Personal Data SIE has been archived on back-up systems. In all such cases, Sign In Enterprise shall maintain the Personal Data securely and limit processing to the purposes that prevent deletion or return of the Personal Data. You may, within 30 days of termination of expiration of the Agreement, request a copy of the Personal Data inputted into the Services by You, provided such data is in Sign In Enterprise’s possession or control at the time of the request, and Sign In Enterprise shall make available, a CSV extract data format, of Your Personal Data.
General Data Protection Obligations
ANNEX A
DESCRIPTION OF PROCESSING
Nature and purposes of Processing
SIE is a Canadian provider of Sign In Enterprise, a cloud-based visitor management and check-in service (the “Services”). The data Processing will involve any such Processing that is necessary for the purposes set out in the Agreement, the DPA, or as otherwise agreed between the parties.
Categories of Data Subjects
Any categories of individuals whose data the Subscriber extracts, transfers, and/or loads onto the Service, which may include but is not limited to:
- Visitors to your business location who have been invited to use the customer-facing features of the Services; and
- Your past, present and prospective clients and business relationship contacts.
Categories of data
The personal data concerns the following categories of data for the Data Subjects:
- Data Subjects’ identification information (first and last name), contact information (which may include some or all of the Data Subject’s e-mail address, address, telephone number, fax number), and location; and
- Any other personal data that You choose to include in Your instance of the Services for Data Subjects to enter, notably health data for which You have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes.
The personal data transferred to SIE for Processing is determined and controlled by You in Your sole discretion. As such, SIE has no control over the volume and sensitivity of personal data Processed through the Services by You.
Special categories of data (if appropriate)
SIE does not intentionally collect or Process any special categories of data in the provision of the Services.
You agree not to provide special categories of data to SIE at any time, unless You have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes.
Duration of Processing
The personal data will be Processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.
ANNEX B
SIE SECURITY MEASURES
Network Controls
- SIE will monitor the networks used for Processing personal data relating to issues including but not limited to through put, memory usage, response time, system load and error events.
- SIE will adhere to change management standards when any alterations to networks are implemented.
- SIE will assess network vulnerabilities on an ongoing basis and address critical vulnerabilities within SIE’s control within a reasonable time.
Application Controls
- SIE will maintain documentation outlining the overall application infrastructure and Process flows of personal data.
- SIE will perform code reviews on any and all code contributed to the applications used in Processing personal information.
- SIE will follow secure coding best practices in the development life cycle of its software including employing separate environments for development, QA and production.
- SIE will assess application vulnerabilities on an ongoing basis and address critical vulnerabilities within a reasonable time.
Data Controls
- SIE will employ best practices when storing any data generated from the Processing of personal data. Notwithstanding the foregoing, should a customer choose to configure an integration with a third party that is not provided by, required by, or approved by SIE, unless such integration is necessary in order to use the Services, customer and not SIE is responsible for ensuring that such a third party employs data storage and Processing best practices.
- SIE will use strong encryption (TLS) for all data in transit.
- SIE will create encrypted backups of data on an ongoing basis in the event that a data restoration is necessary.
- SIE will ensure all SIE employees devices that have access to sensitive information are encrypted and monitored.
Updated date: Oct 18, 2022.