Data Processing Addendum
This Data Processing Addendum (the "DPA”) describes the obligations of the parties regarding the processing of Personal Data of Customer.
The provisions set forth below apply where Provider processes Personal Data for the purposes of performing the Services.
1. Definitions
Controller: any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data that may be performed as part of the Agreement. Unless, otherwise specified, Customer is Controller.
Data Protection Regulation(s): This means all applicable laws and regulations relating to the processing, protection or privacy of the Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This may include the GDPR, and all additional regulations and rules in force in the relevant Member State(s) of the European Union applicable to the Processing.
Data Subject: any identified or identifiable natural person from whom Personal Data is collected. This definition may be expanded based on local Data Protection Regulation requirements. (e.g. the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and related regulations or guidance provided by the California Attorney General (collectively “CCPA”) definition including that of the household). The type(s) of Personal Data processed by the Processor and other relevant information describing the nature and purpose is specified in the Description of the Processing chart at the end of this DPA.[BN1] [BN1]Modified this sentence from the language on the website, to reflect that chart is no longer an appendix.
Data Subject Request: a request from a data subject to exercise the data subject's right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”).
General Data Protection Regulation or GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th, 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC. GDPR applies to Customer Personal Data of this DPA when the Customer specifically intended to draw European Economic Area (EEA) Data Subjects as customers.
Personal Data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data will also include, as applicable Data Protection Regulation requires, the data under the defined terms of personal information, personally identifiable information, credit card information, or patient health information. The type(s) of Personal Data processed by the Processor and other relevant information describing the nature and purpose is specified in the Description of the Processing chart at the end of this DPA.
Personal Data Breach or Breach: any suspected or actual security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed.
Processing or Processed: every operation or set of operations which is performed with regard to Personal data, including without limitation the collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, combining, linking to other data, blocking, erasure or destruction of Customer Personal Data. Processing includes the purposes and operations mentioned within an appendix of each SOW.
Processor: the person or body which processes or sub-processes Personal Data under the instructions of Customer or any other relevant Controller(s). Processor for the purposes of this DPA is Provider. Provider and/or its Affiliates is (are) Processor(s). Processor is also to be a Service Provider as defined under the CCPA.
Subprocessor: any natural or legal person engaged by Processor only for the performance of the Processing under the Agreement and as specifically authorized in advance in writing by Controller.
Third Party(/ies): any company or entity other than Customer, Provider, or an affiliate and other than Processor, Data Subject and Controller and persons who, under the direct authority of Controller or Processor are authorized to process Personal Data.
Third-Party Country: any country, territory, or specified sector within that country, outside of the Personal Data country of origin.
2. Compliance with Data Protection Regulation
(a) Each party warrants to the other that it shall comply at all times with their respective obligations under the applicable Data Protection Regulation in disclosing Personal Data to the other party, and in the performance of its obligations under the Agreement.
(b) Each party shall comply with its obligations as set out in the Data Protection Regulation. In the unlikely event that Provider does act as Controller in relation to any of the Personal Data Processed for the purposes of the Agreement, especially to Process the Personal Data of Customer’s employees identified as contacts, solely for the purpose of customer relationship management between Customer and Provider under the Agreement, Provider shall do so always in compliance with the Data Protection Regulation.
3. Obligations of Provider
Provider shall:
(a) comply with the Data Protection Regulation in relation to its performance of the Processing, in such a way as to not expose Controller to any violation of the Data Protection Regulation;
(b) process Controller Personal Data as a Processor on behalf of and only in accordance with the written instructions of Controller (and only for the purposes of performing the Agreement and determined by Controller, as documented within an appendix in each SOW);
(c) promptly inform Controller if Provider cannot provide such compliance for whatever reason of its inability to comply, in which case Controller reserves the right to immediately and automatically suspend any Processing and/or terminate the Agreement;
(d) not modify, amend or alter the contents of the Personal Data unless Processor has the prior written consent of Controller;
(e) upon Controller’s request, assist Customer in the fulfilment of Customer’s obligations to provide Data Subjects with the required information, to respond to requests and complaints made by the Data Subjects, to put in place appropriate security measures, to notify Personal Data Breach to the supervisory authority and/or to Data Subjects if required, and to carry out a data protection impact assessment or to prior consult the supervisory authority where required;
(f) maintain a record of all categories of Processing activities carried out on behalf of Customer in the performance of the Agreement;
(g) promptly notify (by sending an email to the email address listed in applicable Statement of Work or Purchase Order) Customer if Processor receives a Data Subject Request. Considering the nature of the processing, Processor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to a Data Subject Request under Data Protection Legislation. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Processor shall, upon Customer's request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Processor is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Legislation;
(h) promptly inform Customer (if lawful to do so) in writing (by sending an email to the email address listed in applicable Statement of Work or Purchase Order) if it receives any correspondence or request for information from a supervisory authority in relation to Customer Personal Data to which this DPA relates; Provider shall provide such reasonable assistance to the Data Subject in order to respond to such supervisory authority; and provide assistance and co-operation by supporting Controller to carry out any required risk assessments and audits of Provider's Data Processing operations; and
(i) delete or return all Customer Personal Data and any copies thereof which it is processing, has processed or have had processed on behalf of Controller in a format agreed upon with Controller after the end of the performance of the Agreement at the choice of Controller, and delete existing copies unless the applicable local law requires storage of the Personal Data. Deletion of data shall be performed in a manner that is at a minimum compliant with Data Protection Regulation requirements.
4. Security and Confidentiality Measures
(a) Processor shall take and implement the appropriate, relevant industry standard, technical and organizational security and confidentiality measures (examples include applicable ISO or SSAE standard industry certifications standards) to ensure the security and confidentiality of Customer Personal data, and regularly update them, to provide a level of security appropriate to the risk related the Processing of the Personal Data and to protect such data from any unauthorized or unlawful Processing, accidental loss, alteration, destruction or damage, as may be required or directed by Controller from time to time.
If the GDPR applies, these obligations must at a minimum comply with Article 32 of the GDPR.
(b) During the term of the Agreement, Processor shall implement and maintain training and awareness program regarding Personal Data security for its employees and Subprocessors who may have access to Personal Data. Processor shall ensure persons authorized to process Personal Data are properly trained in the Processing of Personal Data and only have access to the Personal Data on a need-to-know basis subject to obligation of confidentiality. Processor shall also take steps to ensure that the authorized persons do not Process Personal Data except on instructions from Controller unless Processor is required to do so by locale law.
(c) Processor shall require that any authorized persons entrusted with Processing Personal Data hereunder have undertaken to comply with the principle of confidentiality and have been duly instructed about the Data Protection Regulation.
(d) Processor shall implement awareness programs on Personal Data protection and confidentiality.
- i. During the term of the Agreement, Processor shall implement and maintain an up-to-date training and awareness program regarding Personal Data security for its employees and Subprocessors who may have access to Personal Data. Processor shall ensure persons authorized to process Personal Data are properly trained in the Processing of Personal Data and only have access to the Personal Data on a need-to-know basis subject to obligation of confidentiality. Processor shall also take steps to ensure that the authorization persons do not Process Personal Data except on instructions from Controller, unless Processor is required to do so by locale law.
- ii. Processor shall require that any authorized persons entrusted with Processing Personal Data hereunder have undertaken to comply with the principle of confidentiality and have been duly instructed about the Data Protection Regulation.
5. Sub-processors
(a) Processor shall not disclose or permit the disclosure of Personal Data to any Third Party, and/or shall not subcontract whole or part of the Processing to any Third Party, unless Processor has the prior written consent of Controller or as required by Data Protection Regulation.
(b) Controller provides a general authorization to Processor to engage onward subcontractors that are involved in processing of Personal Data or sub-processing Personal Data in connection with the provision of the Services (“Sub-processors”), subject to compliance with the requirements in the Data Protection Regulation, all Sub-processors are bound by contractual terms no less onerous than those contained in this DPA, and subject to Processor properly vetting Sub-processors for such compliance. The parties agree that the copies of the Sub-processor Agreements that must be provided by Processor to Controller may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent and the data protection clauses, removed by Processor beforehand, and that such copies will be provided by Processor, in a manner to be determined in its discretion, only upon written request by Controller.
The general authorization may be revoked in specific instances where Controller believes that a Sub-processor selected by Processor is objectionable, where such objection is reasonable. Processor must then cease the Sub-processor’s processing of Controller’s data until reasonable steps have been taken to address the objections raised by Controller and Controller has been provided with a reasonable written explanation of the steps taken to remediate the reasons for objection.
(c) Processor will:
- i. upon written request by Controller, make available to Controller a list of all Sub-processors, if any, together with a description of the nature of services provided by each Sub-processor (“Sub-processor List”). This Sub-processor List is available at https://www.inspirus.com/third-party-access and will update such a list prior to adding a Sub-processor to allow Controller reasonable time to object to any such additions.; and
- ii. be liable for the acts and omissions of its Sub-processors to the same extent Company would be liable if performing the services of each of those Sub-processors directly under the terms of this DPA, except as otherwise set forth in this DPA.
6. International Personal Data Transfers
(a) This Section 6 shall apply (i) where Controller is a EU Controller, or (ii) where Controller, even if not established in the European Union where Processor is established in the European Union, or where goods or services are offered to Data Subjects in the European Union, or where the behavior of such Data Subjects is monitored to the extent such behavior takes place within the European Union.
(b) Provider will process Personal Data in any Third-Party Country and/or have Personal Data processed in any Third-Party Country (including a Sub-processor), including for onward transfers of Personal Data from a Third-Party Country to another Third-Party Country, only where Provider has in place the required legal protections.
7. Personal Data Breach
(a) In the event of a Personal Data Breach arising during the performance of the services by Processor, Processor shall, at its own cost:
- i. notify Controller in writing (by sending an email to the email address listed in applicable Statement of Work or Purchase Order about the Personal Data Breach without undue delay of becoming aware;
- ii. after investigating the causes of such a Personal Data Breach, take actions as may be necessary or reasonably expected by Controller to minimize the effects of any Breach;
- iii. take all actions as may be required by Data Protection Regulation and, more generally, provide Controller with reasonable assistance in relation to Controller’ obligations to notify to the supervisory authority and to the Data Subjects, as the case may be, of the Breach;
- iv. maintain a record of all information relating to the Breach, including the results of its own investigations and authorities’ investigations; and
- v. cooperate with Controller and/or Customer and take all measures as necessary to prevent future Breaches from occurring again.
(b) In the event that it is determined in a forensic audit conducted by an independent third party engaged by Controller that a Breach is due solely or in part to Processor’s failure to comply with this Amendment, then Processor shall reimburse Controller for all reasonable costs and expenses, apportioned based on degree of fault as assigned by the audit. This reimbursement of all costs and expenses may include, but not be limited to, all fees due to such qualified, independent third party for such forensic audit, all fees and fines associated with the Breach (including notification costs), and any costs associated with a one-year contract for credit monitoring services if Controller decides to offer such monitoring as a result of the Breach. Notwithstanding the foregoing, Inspirus shall not be obligated to pay for the costs of the Breach in the event that the Breach would have been avoided if the Customer had installed all updates, modifications, service pack and patches available.
8. Evidence and Audit Rights
(a) Processor shall promptly provide to Controller, upon request, information reasonably necessary to demonstrate its compliance with this DPA.
(b) During normal hours of business and with reasonable prior notice to Processor, Controller, or its designated third party, may audit Processor’s processing and maintenance of Personal Data and compliance with this DPA: (i) once annually; (ii) any time a Breach has occurred; and (iii) if Controller, in its sole discretion, reasonably believes that a Breach has occurred or Processor is not in compliance with this DPA. Such audit procedures may occur through review of documentation provided by Processor and through conversations with Processor personnel responsible for compliance with the applicable terms of this DPA, who shall be made available by Processor for such purpose. Processor shall assist and cooperate in the performance of such audit procedures.
9. Processing of Personal Data of Provider
If Customer Processes Provider Personal Data that is collected in connection with the performance of the services:
(a) Provider Personal Data will be Processed for purposes of contractual relationship management with Provider, risk management purposes and data analytics purposes.
(b) Customer shall grant rights of access, rectification, limitation, erasure, and opposition on legitimate grounds in relation to Provider Personal Data that can be exercised by sending an email to Customer’s appropriate Data Protection contact at the following email addresses: info1@inspirus.com.
(c) Customer shall grant the right to data portability.
(d) Provider Personal Data will be Processed in accordance with the Data Protection Regulation and will follow the corresponding obligations as stated in Section 3 above for Provider.
10. Indemnification
Subject to any liability limitations of the Agreement, Provider agrees to indemnify, keep indemnified, and defend at its own expense Customer against all costs, claims, damages, or expenses incurred by Customer or for which Customer may become liable due to any material failure by Provider or its employees, subcontractors or agents to comply with any of its obligations under this DPA or the Data Protection Regulation.
| DURATION OF THE PERSONAL DATA PROCESSING | Provider will process Personal Data throughout the duration of the contracted services provided to Customer. | |
| NATURE AND PURPOSE | Provider will be providing employee engagement and recognition technology, programs, awards, and related fulfillment services to Customers. | |
| TYPES OF PERSONAL DATA PROCESSED (THERE MAY BE OVERLAP) | ||
| Category | Examples | Processed? |
| A. Identifiers | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. | ☒ |
| B. Personal information categories |
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. |
☒ |
| C. Protected classification characteristics under CCPA |
(1) Personal Information that reveals (A) a consumer's social security, driver's license, state Identification card, or passport number; (B) consumer's account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer's precise geolocation; (D) a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer's mall, email and text messages, unless the business Is the Intended recipient of the communication; (F) a consumer's genetic data; and (2}(A) the processing of biometric Information for the purpose of uniquely identifying a consumer; (B) personal Information collected and analyzed concerning a consumer's health; or (C) personal Information collected and analyzed concerning a consumer's sex life or sexual orientation. |
☐ If applicable, please specify which types: |
| D. Commercial information | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | ☒ |
| E. Biometric information | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | ☐ |
| F. Internet or other similar network activity | Browsing history, search history, and information on a consumer's interaction with a website, application, or advertisement. | ☒ |
| G. Geolocation data | Physical location or movements. | ☒ |
| H. Sensory data | Audio, electronic, visual, thermal, olfactory, or similar information. | ☐ |
| I. Professional or employment-related information | Current or past job history or performance evaluations. | ☐ |
| J. Non-public education information (per the Family Educational Rights and Privacy Act) | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | ☐ |
| K. Inferences drawn from other personal information | Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | ☐ |
| L. Sensitive Data under GDPR and CCPA/CPRA |
Information reflecting the (a) the racial or ethnic origin of the data subject; (b) their political opinions; (c) their religious beliefs or other beliefs of a similar nature; (d) whether they are a member of a trade union; (e) their physical or mental health or condition; (f) their sexual life or orientation; (g) the commission or alleged commission by them of any offence; or (h) any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. |
☐ |
| CATEGORIES OF DATA SUBJECTS | Customer employees | |