Third Party Data Processing Agreement

Appinium for Learning (formerly LearnTrac)

THIRD PARTY DATA PROCESSING AGREEMENT

(V1.0 – September, 28th, 2023)

Please complete table below

Summary:

Client (Controller) Full Legal Name:
Client (Controller) Address:
Client (Controller) Contact email address:(See Clause 15 – this will be used for all notices concerning this DPA and must have privacy/data protection responsibilities):
Client (Controller) Data Protection Officer or Privacy Officer (where applicable):
Client’s Contact for Security Breach Notification:Steve Jacobson / Darian Edwards
Appinium (Service Provider)’s Contact for Security Breach Notification:sjacobson@appinium.com, dedwards@appinium.com 

This Appinium Vendor Data Processing Agreement (“DPA”) is concluded between the Appinium entity that is a party to the Vendor Main Agreement on behalf of itself and its Affiliates (“Appinium”, “Service Provider”, “Processor”) and the Client named above (“Client” or “Controller”) effective as of the effective date of the Main agreement identified above (the “Main Agreement”), in reliance on the following facts.  

Appinium provides services to the Client and will process or receive access to Personal Data of the Client employees and/or customers and other personal data of other people who collaborate with the Client from time to time.  Such individuals will include data subjects in or from the European Economic Area and/or Switzerland and the UK (“EEA+”).  

  1. DEFINITIONS 

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. 

“Australian Privacy Laws” means (a) the Privacy Act 1988 (Cth), (b) the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) and (c) any other statute, regulation or law in Australia or elsewhere relating to the protection of Personal Data in Australia.

“Authorized Affiliate” means any of FF’s Affiliate(s) which is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom. 

“CCPA” means the California Consumer Privacy Act Cal. Civ. Code § 1798.100 et seq. and its implementing regulations.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data. 

“Data Protection Laws and Regulations” means all laws and regulations, including (without limitation) the GDPR, the UK GDPR, the Data Protection Act 2018, Australian Privacy Laws and the CCPA, as applicable to the Processing of Personal Data hereunder. 

“Data Subject” means the individual to whom Personal Data relates. 

“Client Data” means Personal Data and non-public information of the Client, including information of third parties that the Client is required to hold in confidence, to which the Service Provider has access pursuant to the Main Agreement.

“Service Provider Group” means Service Provider and its Affiliates engaged in the Processing of Personal Data. 

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 

“Personal Data” means any information relating to (i) an identified or identifiable natural person or household, and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Client Data where processed in accordance with this DPA.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. 

“Processor” means the entity which processes Personal Data on behalf of the Controller including as applicable any “service provider” as that term is defined by the applicable Data Protection Laws and Regulations. 

Standard Contractual Clauses” means either the standard contractual clauses approved by the European Commission for the transfer of Personal Data to processors or those for the transfer of Personal Data to controllers (as the context requires), in each case established in third countries which do not ensure an adequate level of data protection, and current as at the date of the transfer (or, where the UK GDPR applies, any equivalent set of clauses approved by the UK Supervisory Authority, or other applicable authority in accordance with the Data Protection Laws and Regulations).

“Sub-processor” means any Processor engaged by the Service Provider, by a member of the Service Provider Group or by another Sub-processor.

“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR or by the applicable Data Protection Laws and Regulations in the EEA, Switzerland and the UK.

“UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. In this Contract, in circumstances where the UK GDPR applies, references to the GDPR and its provisions will be construed as references to the UK GDPR and its corresponding provisions, and references to EU or Member State law shall be construed as references to UK law.

  1. PROCESSING OF PERSONAL DATA 
    1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data in the course of performance of the obligations in the Main Agreement, Client is the Controller, Service Provider is a Processor.  The processor represents and warrants that it is a “service provider,” for the purposes of the services it provides to the Client pursuant to the Main Agreement, according to the meaning given to that term in Section 1798.140(v) of the California Civil Code, as of the date hereof.
      1. Client Instructions. Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Unless specified elsewhere in the Main Agreement or the Service Provider’s performance of its obligations intrinsically require otherwise, the Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Client acquired Personal Data. 
      2. Service Provider’s Processing of Personal Data. The Service Provider shall treat Client’s Data as Confidential Information and shall only Process Personal Data on behalf of the Client pursuant to the Main Agreement and in accordance with Client’s instructions for the following purposes: (i) Processing in accordance with the Main Agreement; and (ii) Processing to comply with other reasonable instructions provided by the Client (e.g., via email) where such instructions are consistent with the terms of the Main Agreement.  Service Provider is prohibited from: (i) selling the Personal Data; (ii) retaining, using, disclosing, or processing Personal Data for any purpose other than for the specific purpose of performing the services specified in the Main Agreement; including retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the services specified in the Main Agreement; or (iii) retaining, using, or disclosing the Personal Data outside of the direct business relationship between the Client and the Service Provider; or (iv) as legally required from time to time.  The Service Provider hereby confirms that it understands the restrictions set forth in this section and will comply with them.  
      3. Details of the Processing. The subject-matter of Processing of Personal Data by the Service Provider is the performance of the services/obligations of the Service Provider described in the Main Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
  2. RIGHTS OF DATA SUBJECTS 
    1. Data Subject Request. The Service Provider shall, to the extent legally permitted, promptly notify the Client if they receive a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, the Service Provider shall assist the Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent the Client, in its use of the Services, does not have the ability to address a Data Subject Request, the Service Provider shall upon Client’s request use commercially reasonable efforts to assist the Client in responding to such Data Subject Request, to the extent Service Provider is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. 
  3. SERVICE PROVIDER PERSONNEL 
    1. Confidentiality. The Service Provider shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. The Service Provider shall ensure that such confidentiality obligations survive the termination of the personnel engagement. 
    2. Reliability. The Service Provider shall take commercially reasonable steps to ensure the reliability of any Service Provider personnel engaged in the Processing of Personal Data. 
    3. Limitation of Access. The Service Provider shall ensure that Service Provider’s access to Personal Data is limited to those personnel who require such access to perform the Main Agreement. 
    4. Data Protection Officer. The Service Provider will: (i) at all times have in place an employee responsible for compliance with Data Protection Laws and Regulations; and (ii) appoint a data protection officer where such appointment is required by Data Protection Laws and Regulations. The appointed person contact details must be notified to the Client and/or updated with any change to such contact details.  Any such notifications/updates shall be sent to dedwards@appinium.com
  4. TRANSFER 
    1. The Service Provider will only transfer Client’s Data in compliance with applicable Data Protection Laws and Regulations.
    2. The Service Provider will not, nor require or permit any Subprocessor to, without the prior written consent of the Client, make a transfer of Client’s Data, except a transfer either directly or via onward transfer, to any country or recipient: (i) in the case of transfers from EEA, recognized by the European Commission or other applicable authority, as providing an adequate level of protection for Personal Data (as described or referred to in applicable Data Protection Laws and Regulations), and/or (ii) covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data where compliance with such framework is required by applicable Data Protection Laws and Regulations. 
    3. The Service Provider shall notify the Client of all international transfers of Client’s Data in accordance with clause 5.2, and keep Client notified of all international transfers of Client Data required as part of the performance of the Main Agreement. 
  5. SUB-PROCESSORS 
    1. The Client acknowledges and expressly agrees that (a) Service Provider’s Affiliates may be retained as Sub-processors; and (b) Service Provider and Service Provider’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.  The Service Provider shall make available to the Client the current list of Sub-processors. 
    2. Should the Service Provider look to employ a new Sub-processor or replace an existing Sub-processor while Client is in contract with the Service Provider, Service Provider shall communicate it in advance or provide with the possibility to subscribe to updates.
    3. The Service Provider shall be liable for the acts and omissions of its Sub-processors to the same extent the Service Provider would be liable if performing the services of each Sub-processor directly under the terms of this DPA. 
  6. SECURITY 
    1. Controls for the Protection of Personal Data. The Service Provider shall maintain administrative, physical and technical safeguards designed for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Client’s Data), confidentiality and integrity of Client Data, including Personal Data, in accordance with Appendix 2/Annex 2 (as applicable) to the Standard Contractual Clauses as set out in Schedule 2 hereto. The Service Provider will not materially decrease the overall security of the Services during the term of the Main Agreement. 
    2. Attestations/Certifications. Upon Client’s written request no more frequently than once annually, the Service Provider shall provide to the Client a copy of Service Provider’s then most recent internal or external security attestations and/or certification(s) in place for the Services e.g. a SOC1 report.  The Service Provider may require Client to sign a nondisclosure agreement reasonably acceptable to the Service Provider before providing a copy of such security attestations/ certification(s) to the Client. 
  7. SECURITY BREACH MANAGEMENT AND NOTIFICATION 

The Service Provider maintains security incident management policies and procedures and shall notify the Client without undue delay (and in any event within forty-eight (48) hours) after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client’s Data, including Personal Data, transmitted, stored or otherwise Processed by the Service Provider or its Sub-processors of which the Service Provider becomes aware (a “Client’s Data Incident”).  The notification must include at the time of notification or as the information becomes available following initial notification: (i) a description of the nature of the breach; (ii) the name and contact details of the data protection officer or other contact point; (iii) a description of the likely consequences of the breach; and (iv) a description of the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.  Service Provider will, in respect of any Security Breach, work with the Client, at Service Provider’s cost and expense, to comply with Data Protection Laws and Regulations including breach notification requirements to which Client may be subject. The Service Provider will promptly take all necessary and appropriate action to identify and remediate the cause of such Security Breach.

  1. DISCLOSURE OF CLIENT DATA
    1. As of the date of this contract, the Service Provider has not received any directive under Section 702 of the U.S. Foreign Intelligence Surveillance Act, codified at 50 U.S.C. § 1881a (“FISA Section 702”).
    2. The Service Provider will not disclose Client Data to law enforcement unless required by law. If law enforcement contacts the Service Provider with a demand for Client Data, the Service Provider will attempt to redirect the law enforcement agency to request that data directly from the Client. If compelled to disclose Client’s Data to law enforcement, the Service Provider will promptly notify the Client and provide a copy of the demand unless legally prohibited from doing so.
    3. Upon receipt of any other third-party request for Client’s Data, the Service Provider will promptly notify the Client unless prohibited by law. The Service Provider will reject the request unless required by law to comply. If the request is valid, the Service Provider will attempt to redirect the third party to request the data directly from the Client.
    4. The Service Provider will not provide any third party: (a) direct, indirect, blanket, or unfettered access to Client’s Data; (b) platform encryption keys used to secure Client’s Data or the ability to break such encryption; or (c) access to Client’s Data if the Service Provider is aware that the data is to be used for purposes other than those stated in the third party’s request.
    5. In support of the above, the Service Provider may provide Client’s basic contact information to the third party.
    6. The Service Provider will document and record the requests for access received from public authorities and the response provided, alongside a summary of the legal reasoning and the actors involved. When and to the extent legally permissible, the Service Provider will provide these records to the Client, who may provide them to affected data subjects.
  2. RETURN AND DELETION OF CLIENT DATA 

Following the termination or expiration of the Main Agreement, or at the request of the Client, the Service Provider shall, in a timeframe and format requested by the Client, return all Client’s Data, and/or securely delete and destroy the Client Data such that it is rendered unusable, unreadable, unreconstructable and indecipherable, including without limitation shredding, permanently erasing and deleting and degaussing, as applicable. Upon Client’s request, the Service Provider shall provide written certification by a senior leadership team member that all such Client Data has been returned or deleted consistent with this DPA.

  1. AUTHORIZED AFFILIATES 
    1. Contractual Relationship. The parties acknowledge and agree that, by executing the DPA, the Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between the Service Provider and each such Authorized Affiliate subject to the provisions this Clause 11 and Clause 12 below. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. 
    2. Communication. The Client that is the contracting party to the Main Agreement shall remain responsible for coordinating all communication with the Service Provider under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates. 
    3. Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with the Service Provider, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
      1. Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against the Service Provider directly by itself, the parties agree that (i) solely the Client entity that is the contracting party to the Service Provider Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Client entity that is the contracting party to the Main Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for all of its Authorized Affiliates together (as set forth, for example, in Clause 11.3.2, below). 
      2. The Client’s entity that is the contracting party to the Main Agreement shall, when carrying out an on-site audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on the Service Provider and its Sub-Processors by combining, to the extent reasonable possible, several audit requests carried out on behalf of different Authorized Affiliates in one single audit.
  2. EUROPE-SPECIFIC PROVISIONS 
    1. GDPR. The Service Provider will Process Personal Data in accordance with the GDPR and/or UK GDPR (as applicable) requirements directly applicable to Client’s provision of its Services. 
    2. Data Protection Impact Assessment. Upon Client’s request, the Service Provider shall provide the Client with reasonable cooperation and assistance needed to fulfil Client’s obligation under the GDPR and/or UK GDPR (as applicable) to carry out a data protection impact assessment related to Client’s use of the Services, to the extent the Client does not otherwise have access to the relevant information, and to the extent such information is available to the Service Provider. The Service Provider shall provide reasonable assistance to the Client in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Clause 9.2, to the extent required under the GDPR and/or UK GDPR (as applicable). 
    3. Transfer Mechanisms for Data Transfers.  Subject to the terms of this DPA (including Clause 12.6 below), the Service Provider utilizes the applicable Standard Contractual Clauses as the transfer mechanism to any online transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations. For transfers from the UK or pursuant to UK GDPR, the Standard Contractual Clauses contained at UK GDPR SCC shall apply. For transfers from the EEA or Switzerland or pursuant to GDPR, the Standard Contractual Clauses contained at EEA SCC shall apply, which contain the applicable modules available as between Controller and Processor.   
    4. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the applicable Standard Contractual Clauses. Accordingly, if and to the extent the applicable Standard Contractual Clauses conflict with any provision of this DPA regarding the transfer of Personal data outside of the either the UK or the EEA (as appropriate), the Standard Contractual Clauses shall prevail to the extent of such conflict.  
    5. In the event that the form of the Standard Contractual Clauses referred to in Clause 12.3 is changed or replaced by the relevant authorities under Data Protection Laws and Regulations, the Client as Controller should notify the Service Provider as Processor of such form.  Provided that such form is accurate and applicable to the Service Provider as Processor, such form shall then be binding upon the parties when both parties have executed the revised form, subject to the expiration of a grace period, if any, determined by the relevant Supervisory Authorities.
    6. Additional Terms for SCC Services (for Transfers from UK only).
      1. Clients covered by the Standard Contractual Clauses. These Standard Contractual Clauses and the additional terms specified in this Claus 11.5 1 apply to (i) the legal entity that has executed the Standard Contractual Clauses as a data exporter and its Authorized Affiliates and, (ii) all Affiliates of the Client established within the European Economic Area, Switzerland and the United Kingdom, which have signed Order Forms for the SCC Services. For the purpose of the Standard Contractual Clauses and this Clause 12.6, the aforementioned entities shall be deemed “data exporters”. 
      2. Instructions. This DPA and the Main Agreement are Client’s complete and final instructions at the time of signature of the Main Agreement to the Service Provider for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Client to process Personal Data: (a) Processing in accordance with the Main Agreement and applicable Order Form(s); (b) Processing initiated by Users in their use of the SCC Services and (c) Processing to comply with other reasonable instructions provided by the Client (e.g., via email) where such instructions are consistent with the terms of the Main Agreement. 
      3. Appointment of New Sub-processors and List of Current Sub-processors. Client acknowledges and expressly agrees that (a) Service Provider’s Affiliates may be retained as Sub-processors; and (b) Service Provider and Service Provider’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the SCC Services.  The Service Provider shall make available to the Client the current list of Sub-processors in accordance with Clause 5.2 of this DPA 
      4. Copies of Sub-processor Agreements. The parties agree that the copies of the Sub-processor agreements that must be provided by the Service Provider to the Client pursuant to the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by the Service Provider beforehand; and, that such copies will be provided by the Service Provider, in a manner to be determined in its discretion, only upon the written request of the Client. 
      5. Audits and Certifications. The parties agree that the audits described in the Standard Contractual Clauses shall be carried out in accordance with the following specifications: Upon Client’s request, and subject to the confidentiality obligations set forth in the Main Agreement, the Service Provider shall make available to the Client (or Client’s independent, third-party auditor that is not a competitor of the Service Provider and that has signed nondisclosure agreement reasonably acceptable to the Service Provider) information regarding the Service Provider Group’s compliance with the obligations set forth in this DPA. Following any notice by the Service Provider to the Client of an actual or reasonably suspected unauthorized disclosure of Personal Data, upon Client’s reasonable belief that the Service Provider is in breach of its obligations in respect of protection of Personal Data under this DPA, or if such audit is required by Client’s Supervisory Authority, the Client may contact the Service Provider in accordance with the “Notices” Clause to request an audit of Service Provider procedures relevant to the protection of Personal Data. Any such request shall occur no more than once a year, save in the event of an actual or reasonably suspected unauthorised access to Personal Data.  The Client shall reimburse the Service Provider for any time expended for any audit at-current professional services rates if required by the Service Provider, which shall be made available to the Client upon request. Before the commencement of any such on-site audit, Client and Service Provider shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by the Service Provider. The Client shall promptly notify the Service Provider with information regarding any non-compliance discovered during the course of an audit. 
      6. Conflict. In the event of any conflict or inconsistency between the body of this DPA and any of its Schedules (not including the Standard Contractual Clauses) and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. 
    7. Additional Terms for SCC Services (for Transfers from EEA and Switzerland only).  

In Section IV (Final Provisions), Clause 17 MODULE TWO: Transfer controller to processor: The Parties agree that this shall be the EU member state in which the Service Provider is established, or, if the Service Provider is not established in any EU member state, then the law of the country where the Client is established.

In Section IV (Final Provisions), Clause 18(b) for MODULE ONE: Transfer controller to processor: The Parties agree that those shall be the courts of the EU member state’s town in which the Service Provider is established, or, if the Service Provider is not established in any EU member state, then the courts of the country where the Client is established.

In Annex I of the EU SCCs

Data Importer: Service Provider.

Activities relevant to the data transferred under these Clauses: The services as further described in the Main Agreement.

Role: Processor.

Data Exporter: Client.

Activities relevant to the data transferred under these Clauses: provision of enterprise cloud computing solutions.

Role: Controller.

Description of Transfer: As per Schedule 1 hereto

Categories of data subjects whose personal data is transferred: As per Schedule 1 hereto.

Categories of personal data is transferred: As per Schedule 1 hereto

Sensitive data transferred: As per Schedule 1 hereto.

The frequency of the transfer: on a continuous basis upon request.

Nature of the processing: disclosure by transmission.

Purpose(s) of the data transfer and further processing: As per Schedule 1 hereto.

The period for which the personal data will be retained: so long as required for Client’s business needs.

Transfers to (sub-) processors: Applicable. Microsoft and Salesforce.

Competent Supervisory Authority: Data Protection Commissioner of the country where the client is established.

  1. Third-Party Beneficiary Rights of Data Subjects Under SCC 2010.  
  2. Data Subjects who are entitled to third party beneficiary rights under a contract between Client and a customer that incorporates the SCC 2010 shall have third party beneficiary rights as contemplated in the SCC 2010 also vis-à-vis Vendor. With respect to such individual data subjects and their personal data, this DPA and the SCC 2010 shall take precedence over any conflicting terms in any commercial agreements between Client and Service Provider.
  3. Notices

Any notification a party is required to provide pursuant to this Agreement will be provided to the persons below:

Client: 

Information Security and Data Privacy:

EMAIL cc

Service Provider:  The details set out on the first page of this DPA.

  1. Severance.  

Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

List of Schedules 

Schedule 1: Details of the Processing 

Schedule 2: Annex 2/Appendix 2 to the Standard Contractual Clauses

The parties’ authorized signatories have duly executed this DPA:

SERVICE PROVIDER CLIENT

Signed: Signed:

Name: Name:

Title: Title:

Date: Date:

SCHEDULE 1

Details of the Processing

Nature and Purpose of Processing

Service Provider will Process Personal Data as necessary to perform the Services pursuant to the Main Agreement, as further specified in the Documentation, and as further instructed by the Client in its use of the Services.

Duration of Processing

Subject to Clause 8 of the DPA, Service Provider will Process Personal Data for the duration of the Main Agreement, unless otherwise agreed upon in writing.

Categories of Data Subjects

Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects,  business partners, vendors and subcontractors of the Client(who are natural persons)
  • Employees or contact persons of the Client, business partners, vendors and subcontractors
  • Employees, agents, advisors, contractors, and freelancers of the Client (who are natural persons), and their family members
  • Client’s Users authorized by the data exporter to use the Services

Type of Personal Data

Client may submit Personal Data to the Services, the extent of which is determined and controlled by the Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • ID data
  • Professional skills information
  • Connection data
  • Localisation data

Schedule 2

Annex 2/Appendix 2 to the Standard Contractual Clauses

  1. Security and Privacy Obligations.  The Service Provider shall comply with this Annex 2/Appendix 2 at all times during the term of the Main Agreement.  Provision of systems and equipment to Service Provider or Service Provider personnel by Client does not relieve the Service Provider of any of the obligations of this Annex 2/Appendix 2.
    1. Data Sharing and Usage
      1.  Client Data may not be shared with third parties, including subcontractors, except with Client’s prior written consent.
      2. Client Data may not be used or disclosed in any way that is not explicitly authorized by the Client.
      3. At Client’s reasonable request, Service Provider must (a) contractually agree to comply with laws or industry standards applicable to Client Data, if and to the extent such laws or frameworks apply to any Client Data that the Service Provider comes into contact with, or (b) if the Service Provider does not timely comply with any such request, allow the Client to terminate certain or all contracts with the Service Provider, subject to (i) a proportionate refund of any prepaid fees, (ii) transition or migration assistance as reasonably required, and (iii) without applying any early termination charges or other extra charges.
    2. Information Security Program
      1. The Service Provider must identify and assess the risks to Client Data in each relevant areas of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.
      2. The Service Provider must design and implement a safeguards program and regularly monitor and test it.
      3. The Service Provider must only select service providers that can maintain appropriate safeguards and make sure that contracts require them to maintain safeguards and oversee the handling of Client’s Data.
      4. The Service Provider must evaluate and adjust the program in light of relevant circumstances, including changes to the company’s business or operations or the results of security testing and monitoring.
    3. Employee Management and Training
      1. Notwithstanding the provisions of section 4 below regarding the specific background check obligations of personnel assigned to provide services to the Client, the Service Provider must also check references and do background checks before hiring employees who have may access to Client’s Data.
      2. The Service Provider must limit access to Client Data to employees who have a business reason to see it.
      3. The Service Provider must control access to sensitive information by requiring employees to use strong passwords that must be changed on a regular basis. 
      4. The Service Provider must use password-activate screensavers to lock employee computers after a period of inactivity.
      5. The Service Provider must develop policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices.
      6. The Service Provider must train employees to take basic steps to maintain the security, confidentiality, and integrity of Client’s Data. 
      7. The Service Provider must regularly remind all employees if its security policies and legal requirement to keep Client’s Data secure.
      8. The Service Provider must develop policies for employees who work remotely.
      9. The Service Provider must, always in compliance with and as permitted by applicable law, impose disciplinary measures for security policy violations.
      10. The Service Provider must prevent terminated employees from accessing data by immediately deactivating their passwords and user names and taking other appropriate measures. 
    4. Information Systems
      1. The Service Provider must catalog where Client Data is stored and ensure that it is stored securely. 
      2. The Service Provider must ensure that only authorized personnel have access to Client Data. 
      3. The Service Provider must take steps to ensure the secure transmission of Client Data. 
      4. When credit card information is transmitted, Secure Sockets Layer (SSL) or other secure connection must be used. 
      5. When credit card information is transmitted by email, it must be encrypted. 
      6. The Service Provider must dispose of Client’s Data in a secure way and where the collection and processing of the data is subject to U.S. Federal Trade Commission’s Disposal Rule, The Service Provider comply with such rule.
    5. Detecting and Managing System Failures
      1. The Service Provider must deter, detect, and defend against security breaches by taking reasonable steps to prevent attacks, quickly diagnose security incidents, and have an incident response plan. 
      2. If the Service Provider becomes aware of any unauthorized access to Client Data, it shall immediately notify the Client, consult and cooperate with investigations and potentially required notices, and provide any information reasonably requested by Client. 
    6. Audits. In addition to the obligation to submit and contribute to audits as described in the DPA, The Service Provider shall submit to reasonable data security and privacy compliance audits by the Client and/or, at Client’s request and cost, by an independent third party, to verify compliance with the security measures described herein, applicable law, and any other applicable contractual undertakings. The Client will provide reasonable advance written notice of any request for an audit and will arrange for a mutually acceptable time to conduct the audit with the intent to minimize unnecessary or unreasonable business disruption.
  2. Status of Service Provider Personnel.  The Service Provider agrees and acknowledges that personnel providing services to the Clients are not employees of the Client within the application of any applicable law, including without limitation any law or regulation of the USA be it federal, state, city or local, including but not limited to laws or regulations covering health benefits, unemployment insurance, retirement benefits, workers’ compensation, industrial accident, labor or taxes of any kind.  The Service Provider personnel are not eligible to participate in Client’s employee benefits or programs, including company-sponsored health insurance plans, stock plans, and pension plans (401(k) plans in the USA).  The Service Provider is solely responsible for payment of all compensation and benefits owed to its personnel, including without limitation employment related taxes, participation in welfare plans and participation in applicable health plans.
  3. Personnel Confidentiality Agreements.
    1. Confidentiality Agreement.  All individual Service Provider personnel assigned to perform services for the Client will be required to have executed a written confidentiality agreement with the Service Provider consistent with Service Provider’s confidentiality obligations under this Agreement (a “Personnel Confidentiality Agreement”) as a pre-condition of their assignment to perform services for Client. 
    2. No Conflicts of Interest.  During the term of the Main Agreement, The Service Provider will not assign individual Service Provider personnel for whom accepting work with the Client would constitute an obligation inconsistent or incompatible with the individual personnel’s obligations, or the scope of services to be rendered for the Client, under the Main Agreement (including the Personnel Confidentiality Agreements).  
  4. Background Checks.  Subject to applicable law:
    1. Acknowledgment, Notice and Process. The Service Provider understands and agrees that all Service Provider personnel must pass a background check prior to being assigned to perform services for the Client.  The Service Provider will inform all personnel of this requirement prior to assigning the personnel to perform services for the Client.  The Service Provider shall conduct the full background check of personnel prior to assigning the personnel to perform services for the Client.  
    2. Required Trainings.  The Client reserves the right to require the Service Provider personnel to complete compliance-related training, at no cost to the Service Provider. It is anticipated that any such trainings will be completed via an online training tool generally available over the Internet.  
    3. Compliance with Employment Laws.  The Service Provider agrees that it will abide by all applicable labor and employment laws and regulations, including without limitation laws prohibiting discrimination in employment.  The Service Provider shall immediately report to Client’s Legal Department all complaints made by the Service Provider personnel of unlawful harassment or discrimination related to their assignment to perform services for the Client.  Where the Service Provider is performing services in the USA, Service Provider agrees that it will comply with the provisions of the Immigration and Reform Act (“ICRA”), and will assign to Client’s account only personnel who are authorized to work in the United States.  

On behalf of Service Provider, as data exporter:

Name (written out in full): …     ………………………………………………

Authorized Signature ……………………………………………………………….

On behalf of Client, as data importer:

Name (written out in full): .     ………………………………………………..

Authorized Signature ……………………………………………………………….