SECURITY AND PRIVACY REQUIREMENTS
This Privacy and Data Protection Addendum (“Addendum“) is entered into by Client and Company (together “Parties”). This Addendum is governed by the terms of the Agreement between the Parties for the supply of Services by Company to Client and reflects the Parties’ roles and responsibilities for the Processing of Personal Data.
This Addendum will take effect on the effective date of the Agreement and, notwithstanding expiry or termination of the Agreement, will remain in effect until and automatically expire upon deletion of all Personal Data in accordance with this Addendum.
- Processing of Personal Data. The subject-matter of the Processing of Personal Data is the provision of the Services pursuant to the Agreement.
- Obligations of the Company
2.1 Authorized Processing: Company shall:
a. Process Personal Data only: (i) on behalf and for the benefit of Client, (ii) in accordance with the instructions as documented in this Appendix and (iii) to the extent required by Applicable Data Protection Laws.
b. Process Personal Data exclusively for the following purposes: (i) provision of the Services requested by Client; (ii) execution of any instructions provided by Client regarding the Processing of Personal Data; (iii) compliance with any applicable law. Company shall not Process Personal Data for any other purpose, nor for its own commercial benefit, including, without limitation, to create de-identified or anonymized data, or to Sell, retain, use or disclose Personal Data for any commercial purpose or outside of the direct business relationship between the Parties.
c. Company certifies that it understands the restrictions contained in this Schedule and will comply with them.
2.2 General cooperation obligation: Company shall deal appropriately with Client’s requests for assistance to ensure Processing complies with Applicable Data Protection Laws.
2.3 Compliance: When providing the Services, Company shall at all times comply with Applicable Data Protection Laws.
2.4 Non-disclosure: Company shall keep Personal Data strictly confidential and not disclose it to any Third Party without the prior written approval of Client, except where such disclosure is required: (i) for the performance of the Services, or (ii) to comply with a legal obligation.
2.5 Confidentiality: Company shall ensure that its employees and any other person authorized to Process Personal Data: (i) are informed of the confidential nature of the Personal Data; (ii) will have access to Personal Data exclusively to the extent necessary to perform the Services (on a need-to-know basis); (iii) have received appropriate training on their responsibilities; and (iv) are legally bound by confidentiality obligations.
2.6 Security of Personal Data: Company shall implement and maintain a written information security and privacy program containing appropriate technical, physical and organisational security measures, procedures, and other safeguards to protect Personal Data against accidental or unlawful destruction or accidental loss, unauthorized alteration, disclosure, use or access and all other forms of unlawful Processing including, but not limited to, unnecessary collection or further Processing (“Safeguards”).Safeguards shall, taking into account the state of the art and costs of implementation and execution of the measures, ensure an adequate level of protection given the risks involved in the Processing and the nature of the Personal Data to be secured. The measures that Company must take in any event to protect Personal Data include, but are not limited to, the Encryption of any Personal Data. Company shall document and keep the Safeguards updated and in compliance with any Applicable Data Protection Laws. Upon Client’s request, Company shall provide Client with access to (and copies of) documentation and evidence regarding such Safeguards.
2.7 Security Incident: Company shall, without undue delay, inform Client if Company or any of its Sub-processors become aware of a Security Incident. In the event of a Security Incident, Company shall: (a) take all necessary and appropriate corrective actions to promptly mitigate and/or remedy the incident and minimize the possible adverse effects for the impacted Individuals; (b) fully cooperate with Client in all reasonable efforts to investigate the nature and scope of the incident; and (c) make available all assistance and information Client may need (including but not limited to: nature of the incident, categories and number of Individuals concerned, likely impact of the incident for Client and the Individuals concerned and the measures (to be) taken to address the Personal Data Breach). Unless required by law, Company shall not notify any Individuals or Third Parties of Security Incidents without first consulting and obtaining written permission from Client.
2.8. Information requests from Government Authorities: To the extent legally permitted, Company shall promptly inform Client if Company or any of its Sub-processors receive an inquiry, subpoena or request for inspection or audit from a Governmental Authority or court relating to the Processing.
2.9 Privacy rights of Individuals: To the extent legally permitted, Company shall, without undue delay, notify Client if it receives a Privacy Request. Taking into account the nature of the Processing, Company shall assist Client by providing appropriate technical and organizational measures, insofar as reasonably possible, for the fulfillment of Client’s obligation to address Privacy Requests.
2.10 Return and deletion of Personal Data: Company shall enable Client to delete Personal Data, where applicable in a manner consistent with the functionality of the Services. Unless Applicable Data Protection Laws require otherwise, Company shall delete all Personal Data (including existing copies) from any systems used to Process Personal Data upon termination of a Service and give a written confirmation or certification of such deletion to Client. In the event Applicable Data Protection Laws do not permit Company to return or destroy the Personal Data, Company warrants that it shall ensure the confidentiality of the retained Personal Data and shall not Process the Personal Data other than as required by applicable law.
2.11 Notification of non-compliance: Company shall, without undue delay, notify Client if Company or any of its Sub-processors cannot, for any reason, comply with the obligations under this Addendum or becomes aware of any circumstance or change in law that is likely to have a substantial adverse effect on Company’s ability to meet its obligations under this Addendum. Without prejudice to the termination provisions in the Agreement, Client is entitled to suspend or terminate with immediate effect the Agreement in whole or in part if Company and/or its Sub-processor(s) is unable to meet its obligations under this Addendum and Client has notified Company in writing of the specific non-compliance, until such time that the non-compliance is remedied.
2.12 Audit: Company shall audit its compliance and the compliance of its Sub-processors (if any), with the obligations of this Addendum. This audit shall: (a) cover all Processing of Personal Data performed under the Agreement in the previous calendar year; (b) be performed at least once per year; (c) be performed by an independent auditor at Company’s selection and expense; and (d) result in an audit report. Within two (2) weeks after completion of the audit, Company shall provide Client with a confidential copy of the audit report so that Client can reasonably verify compliance with this Addendum. Company shall take all immediate action to ensure that any weaknesses and issues identified in the audit report are adequately addressed.
- Sub-processors
3.1 Company may engage Sub-processors to Process Personal Data under the conditions set forth in this Section 3. Company shall maintain a list of Sub-processors to which it discloses, transfers or allows access to Personal Data and inform Client of any changes to this list, giving Client the opportunity to object to such changes. The following Sub-processors are approved by Client as of the execution of this Agreement: Amazon Web Services, Braintree Payments, Google, Lacore, Mailgun, Rackspace, Rallio, ShipStation, SmartyStreets, Success Partners, Twilio, and Vendoti.
3.2. If Client reasonably objects to Company’s addition or replacement of a Sub-processor, Client will notify Company thereof in writing within thirty (30) days after receipt of Company’s notice. In such case, Company shall ensure that the objected Sub-processor will not Process Personal Data.
3.3. Company remains fully liable for Sub-processors’ performance as well as for any acts or omissions of its Sub-processors regarding Processing of Personal Data under this Agreement. Company warrants and represents that all its Sub-processors that are engaged to handle Client Data are contractually bound to the same (or no less protective) data protection obligations as those to which Company is bound.
4. Indemnification. Notwithstanding anything to the contrary in the Agreement, Company shall indemnify Client against all claims and costs, proceedings, damages and expenses (including legal and other professional fees) awarded against, incurred or paid in connection with the acts, omissions, faults or breaches of any of the provisions of this Addendum.
5. Miscellaneous
5.1. Order of precedence: In the event of any conflicts or inconsistencies between the terms of the Agreement and the terms of this Addendum, the terms of this Addendum shall prevail with regard to the Processing of Personal Data irrespective of any indication to the contrary in the main body of the Agreement.
5.2 Severance: Should any provision of this Schedule be invalid or unenforceable, then the remaining provisions of this Addendum shall remain valid and in force.
DEFINITIONS. Terms used in this Addendum have the same meaning as in the Agreement. For the purposes of this Addendum, the following additional terms are defined:
“Affiliate”
means in relation to either Party, any legal entity which is directly or indirectly (i) owned or controlled by that Party; (ii) owning or controlling that Party; or (iii) owned or controlled by the legal entity owning or controlling that Party, for as long as such ownership or control exists. For the purpose of this definition, a legal entity shall be deemed “controlled” if: (i) more than 50% (fifty per cent) of its voting stock is owned by the controlling entity; or (ii) the controlling entity has the ability to direct the business activities or appoint the majority of the directors of such legal entity.
“Agreement”
means in relation to either Party, any legal entity which is directly or means the relevant agreement between Company and Client for the purchase of Services.
“Applicable Data Protection Law(s)“
means any applicable federal, state, or other laws, regulations, industry recognized codes of conduct or other legal requirements governing the relationship between Company and Client and the services provided under this Agreement, including, without limitation, the California Consumer Privacy Act of 2018 and the General Data Protection Regulation of the European Union.
“Encryption”
means the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key. For the purposes of this agreement, any encryption mechanism used must accord with industry best practices for data encryption.
“Government Authority”
means a legislative, executive, administrative, or regulatory entity, judicial body, or other public agency or authority of any country, state, territory, or political subdivision of a country, state, or territory, or a person or entity acting under a grant of authority from or under contract with such public agency or authority, that is authorized by law to enforce individual rights with respect to Personal Data, or to oversee or monitor compliance with privacy, data protection, or data security laws, rules, regulations, or other laws.
“Individual“
means any individual whose Personal Data is Processed by Company.
“Personal Data“
means any individually identifiable information or information that relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual or household which is being Processed on behalf of Client.
Personal Data Breach”
means any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of Personal Data maintained by Client or Company or a data breach as defined by Applicable Data Protection Law(s).
“Privacy Request”
means a request from an Individual to exercise its right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), cease to sell, data portability, object to the Processing, right not to be subject to automated individual decision making, or other right under Applicable Data Protection Laws.
“Processing”
means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”Process” and “Processed” are to be construed accordingly.
“Sale” or “Sell”
means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to another business or a Third Party for monetary or other valuable consideration.
“Security Incident”
means (a) any of the following: (I) a Personal Data Breach; (II) a security vulnerability that carries a material risk of compromising the confidentiality, integrity, or security of Personal Data; or (III) a violation of applicable law relating to the Processing of Personal Data under this Agreement, (b) but Security Incident shall exclude, unless otherwise specified by Applicable Data Protection Law(s):
(I) any unintentional acquisition, access, or use of Personal Data by an employee or agent of Company if such acquisition, access, or use was made in good faith and does not result in further unauthorized or inappropriate Processing of Personal Data;
(II) any inadvertent disclosure by a person who is authorized to access Personal Data on behalf of Company to another person authorized to access Personal Data on behalf of Company, provided the information received as a result of such disclosure is not further used or disclosed in an unauthorized or inappropriate manner; or (III) any loss or unauthorized acquisition of or access to Encrypted Personal Data, provided the confidential process or key that is capable of compromising the security, confidentiality, or integrity of the Encrypted Personal Data is not also subject to compromise, loss or unauthorized acquisition or access.Without limiting the generality of the foregoing, a “Security Incident” shall include any loss or unauthorized acquisition, access, or use of Personal Data that triggers a breach notification requirement under Applicable Data Protection Law(s).
“Services”
means any services and other activities to be provided by Company to Client under the Agreement, for the provision of which Personal Data are Processed, including, without limitation, the provision of the NOW Platform and the components of it.
“Sub-processor“
means a party, including Company’s Affiliates and/or sub-contractors, engaged by Company to Process Personal Data.
“Third Party”
means a natural or legal person, public authority, agency or body other than the Individual, Client, Company and the persons who, under the direct authority of Client or the Company, are authorized to Process Personal Data.