THRIVEDX CUSTOMER DATA PROCESSING ADDENDUM
This Data Processing Addendum and its appendixes (“Addendum”) forms an integral part of the Agreement (“Agreement”) between yourself (“Customer“) and ThriveDX SaaS Ltd. and its affiliates (“Company“; each “Party” and together “Parties”) and applies to the extent that Company processes Personal Data on behalf of the Customer, in the course of its performance of its obligations under the Agreement. This Addendum supplements the Agreement; the provisions of the Agreement therefore apply to this Addendum.
Customer shall qualify as the Data Controller and Company shall qualify as the Data Processor, as these terms are defined under Data Protection Law.
All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
- “Approved Jurisdiction” means a member state of the EEA, or other jurisdiction as may be approved pursuant to the applicable Data Protection Law as having adequate legal protections for data by the European Commission
- “Data Protection Law” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), including any applicable domestic laws implementing the foregoing.
- “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data“, “Personal Data Breach”, “Process” and “Processing” shall have the meanings ascribed to them in the Data Protection Law.
- “EEA” means those countries that are member of the European Economic Area.
- “Permitted Purposes” mean any purposes in connection with Company performing its obligations under the Agreement.
- “Security Measures” mean commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Company’s business, the level of sensitivity of the data collected, handled and stored, and the nature of Company’s business activities.
- “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of personal data to data processors established in third countries adopted by the European Commission Decision EC/2010/87: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
- “Standard Contractual Clauses (Controllers)” mean the standard contractual clauses for the transfer of personal data to data controllers established in third countries adopted by the European Commission Decision 2004/915: Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries.
- “Sub-Processors” mean any Affiliate, agent or assignee of Company that may process Personal Data pursuant to the terms of the Agreement, and any unaffiliated processor engaged by Company.
- Application of this Addendum
- This Addendum will only apply to the extent all of the following conditions are met:
- Company processes Personal Data that is made available by the Customer in connection with the Agreement (whether directly by the Customer or indirectly by a third party retained by and operating for the benefit of the Customer);
- The Data Protection Laws applies to the processing of Personal Data.
- This Addendum will only apply to the services for which the parties agreed to in the Agreement, which incorporates the Addendum by reference.
- Compliance with Laws
- Each Party shall comply with its respective obligations under the Data Protection
- Company shall provide reasonable cooperation and assistance to Customer in relation to Company’s processing of Personal Data in order to allow Customer to comply with its obligations as a Data Controller under the Data Protection
- Company agrees to notify Customer promptly if it becomes unable to comply with the terms of this Addendum and take reasonable and appropriate measures to remedy such non-compliance.
- Throughout the duration of the Addendum, Customer agrees and warrants that:
- Personal Data has been and will continue to be collected, processed and transferred by Customer in accordance with the relevant provisions of the Data Protection Law;
- Customer is solely responsible for determining the lawfulness of the data processing instructions it provides to Company and shall provide Company only instructions that are lawful under Data Protection Law;
- the processing of Personal Data by Company for the Permitted Purposes, as well as any instructions to Company in connection with the processing of the Personal Data (“Processing Instructions”), has been and will continue to be carried out in accordance with the relevant provisions of the Data Protection Law; and that
- The Customer has informed Data Subjects of the processing and transfer of Personal Data pursuant to the Addendum and obtained the relevant consents or lawful grounds thereto (including without limitation any consent required in order to comply with the Processing Instructions and the Permitted Purposes).
- Notwithstanding anything to the contrary in this Addendum, Customer acknowledges that Company shall have the right to collect, use and disclose data:
- collected in the context of providing the services contemplated under the Agreement, for the purpose of the operation, support or use of its services for its legitimate business purposes, such as account management, technical support, troubleshooting, security patches, fraud prevention, billing, sales and marketing, as well as for the purpose of product improvement and development, and for the purpose of establishment/ exercise and defense of legal claims.
- collected from the Customer’s authorized representatives (e.g. employees) and/or authorized users, strictly for the purpose of administrating the business and/or contractual relationship with the Customer, including for billing, audit and recordkeeping purposes.
- To the extent that any data referred under section 3.5 is considered Personal Data:
- Company is an independent Data Controller of such data under the Data Protection Laws.
- To the extent that Company processes Personal Data outside the EEA, then the Parties shall be deemed to enter into the Standard Contractual Clauses (Controllers).
- Notwithstanding anything to the contrary in this Addendum, Customer acknowledges that Company shall have the right to collect, use and disclose data:
- Processing Purpose and Instructions
- The subject-matter of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, shall be as set out in the Agreement, or in the attached Appendix, which is incorporated herein by reference.
- The duration of the processing under the Agreement is determined by the Parties, as set out in the Agreement.
- Company shall process Personal Data only for the Permitted Purposes and in accordance with Customer’s written Processing Instructions (unless waived in a written requirement), the Agreement and the Data Protection Law, unless Company is otherwise required to do so by law to which it is subject (and in such a case, Company shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).
- To the extent that any Processing Instructions may result in the Processing of any Personal Data outside the scope of the Agreement and/or the Permitted Purposes, then such Processing will require prior written agreement between Company and Customer, which may include any additional fees that may be payable by Customer to Company for carrying out such Processing Instructions. Company shall immediately inform Customer if, in Company’s opinion, an instruction is in violation of Data Protection Law.
- Additional instructions of the Customer outside the scope of the Agreement require prior and separate agreement between Customer and Company, including agreement on additional fees (if any) payable to Company for executing such instructions.
- Reasonable Security and Safeguards
- Company represents, warrants, and agrees to use Security Measures (i) to protect the availability, confidentiality, and integrity of any Personal Data collected, accessed or processed by Company in connection with this Agreement, and (ii) to protect such data from Personal Data Breach incidents.
- The Security Measures are subject to technical progress and development and Company may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services procured by Customer.
- Company shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision which has access to and processes Personal Data. Company shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Company is responsible for performing its obligations under the Agreement in a manner which enables Company to comply with Data Protection Law, including implementing appropriate technical and organizational measures.
- Personal Data Breach
- Upon becoming aware of a Personal Data Breach, Company will notify Customer without undue delay and will provide information relating to the Personal Data Breach as reasonably requested by Customer. Company will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Personal Data Breach.
- Security Assessments and Audits
- Company audits its compliance with data protection and information security standards on a regular basis. Such audits are conducted by Company’s internal audit team or by third party auditors engaged by Company, and will result in the generation of an audit report (“Report”), which will be Company’s confidential information.
- Company shall, upon reasonable and written notice and subject to obligations of confidentiality, allow its data processing procedures and documentation to be inspected, no more than once a year, by Customer (or its designee), at Customer’s expense, in order to ascertain compliance with this Addendum. Company shall cooperate in good faith with audit requests by providing access to relevant knowledgeable personnel and documentation.
- At Customer’s written request, and subject to obligations of confidentiality, Company may satisfy the requirements set out in this section by providing Customer with a copy of the Report so that Customer can reasonably verify Company’s compliance with its obligations under this Addendum. If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending Company written notice. If Company declines to follow any instruction requested by Customer regarding audits or inspections, Customer is entitled to terminate this Addendum and the Agreement.
- Cooperation and Assistance
- If Company receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under EU Data Protection Law, Company will promptly redirect the request to Customer. Company will not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Company is required to respond to such a request, Company will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so.
- If Company receives a legally binding request for the disclosure of Personal Data which is subject to this Addendum, Company shall (to the extent legally permitted) notify Customer upon receipt of such order, demand, or request. It is hereby clarified however that if no such response is received from Customer within three (3) business days (or otherwise any shorter period as dictated by the relevant law or authority), Company shall be entitled to provide such information.
- Notwithstanding the foregoing, Company will cooperate with Customer with respect to any action taken by it pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data.
- Upon reasonable notice, Company shall:
- Taking into account the nature of the processing, provide reasonable assistance to the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising Data Subject’s rights, at Customer’s expense;
- Provide reasonable assistance to the Customer in ensuring Customer’s compliance with its obligation to carry out Data Protection Impact Assessments (“DPIA”) or prior consultations with data protection authorities with respect to the processing of Personal Data, provided, however, that if such assistance entails material costs or expenses to Company, the parties shall first come to agreement on Customer reimbursing Company for such costs and expenses.
- Customer agrees to exercise any right it may have to conduct an audit or inspection, including under the Standard Contractual Clauses if they apply, by instructing Company to carry out the audit described in section 7.
- Use of Sub-Processors
- Customer provides a general authorization to Company to appoint (and permit each Sub-Processor appointed in accordance with this Clause to appoint) Processors and/or Sub Processors in accordance with this Clause.
- Company may continue to use those Processors and/or Sub Processors already engaged by Company as at the date of this Agreement, subject to Company in each case as soon as practicable meeting the obligations set out in this Clause.
- Company can at any time and without justification appoint a new Processor and/or Sub-Processor provided that Customer is given fifteen (15) days’ prior notice and the Customer does not legitimately object to such changes within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Processor and/or Sub-Processor’s non-compliance with Data Protection Law. If, in Company’s reasonable opinion, such objections are legitimate, Company shall either refrain from using such Processor and/or Sub-Processor in the context of the processing of Personal Data or shall notify Customer of its intention to continue to use the Processor and/or Sub-Processor. Where Company notifies Customer of its intention to continue to use the Processor and/or Sub-Processor in these circumstances, Customer may, by providing written notice to Company, terminate the Agreement immediately.
- With respect to each Processor and/or Sub Processor, Company shall:
- ensure that the arrangement between Company and the Processor and/or Sub Processor is governed by a written contract including terms which offer at least the same level of protection as those set out in this Agreement and meet the requirements of article 28(3) of the GDPR;
- upon Customer’s request, provide copies of Company’s agreements with Processors and/or Sub Processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Agreement).
- Company will be responsible for any acts, errors or omissions by its Sub-Processors, which may cause Company to breach any of its obligations under this Addendum.
- Transfer of EEA resident Personal Data outside the EEA
- To the extent that Company processes Personal Data outside the EEA, then the Parties shall be deemed to enter into the Standard Contractual Clauses, in which event the Customer shall be deemed as the Data Exporter and the Company shall be deemed as the Data Importer (as these terms are defined therein):
- Company may transfer Personal Data of residents of the EEA or Switzerland outside the EEA (“Transfer“), only subject to the following:
- The Transfer is necessary for the purpose of Company carrying out its obligations under the Agreement, or is required under applicable laws; and
- The Transfer is done: (i) to an Approved Jurisdiction, or (ii) subject to appropriate safeguards (for example, through the use of the model contacts, or through Privacy Shield framework as referred to in the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, or other applicable frameworks), or (iii) in accordance with any of the exceptions listed in the Data Protection Law (in which event Customer will inform Company which exception applies to each Transfer and will assume complete and sole liability to ensure that the exception applies).
- Data Retention and Destruction
- Company will only retain Personal Data for the duration of the Agreement or as required to perform its obligations under the Agreement. Following expiration or termination of the Agreement, Company will delete or return to Customer all Personal Data in its possession as provided in the Agreement, except to the extent Company is required under applicable laws to retain the Personal Data. The terms of this Addendum will continue to apply to such Personal Data.
- Notwithstanding the foregoing, Company shall be entitled to maintain Personal Data following the termination of this Agreement for statistical and/or financial purposes provided always that Company maintains such Personal Data on an aggregated basis or otherwise after having removed all personally identifiable attributes from such Personal data.
- Notwithstanding the foregoing, Company shall be entitled to retain Personal Data solely for the establishment or exercise of legal claims, and/or in aggregated and anonymized form, for whatever purpose.
- Parties to the Addendum. By signing the Agreement, the Customer hereby enters into this Addendum and acknowledges that it has read and understood the terms of this Addendum and agrees to be legally bound by all of its terms. The legal entity ageing to this Addendum on behalf of the Customer (as prescribed under the Agreement) represents that it is authorized to agree and to enter into this Addendum for and on behalf of itself.
- Any claims brought under this Addendum will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement.
- Notwithstanding anything to the contrary, in the event of a conflict between the Agreement (or any document referred to therein) and this Addendum, the provisions of this Addendum shall prevail.
- Company may change this Addendum if the change is required to comply with Data Protection Law, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the Company as the Data Processor; (ii) expand the scope of, or remove any restrictions on, either Party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Company.
- Notification of Changes. If Company intends to change this Addendum under this section, and such change will have a material adverse impact on Customer, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.
Except where explicitly stated otherwise, this Appendix is completed in accordance with the Standard Contractual Clauses and/or Standard Contractual Clauses (Controllers), and forms an integral part of the Standard Contractual Clauses.
Details of Data importer (Company)
As indicated inside the Agreement.
With reference to Clause 9 and Clause 11(3) of the Standard Contractual Clauses, the Standard Contractual Clauses shall governed by the law of the Member State in which the data exporter is established.
Data exporter and data importer activities relevant to the transfer
Activities relevant to the transfer include the performance of the services for Company and customers, as contemplated in the Agreement.
Duration of the data processing
The duration of the data processing shall be the duration of the Agreement.
The personal data transferred may concern the following categories of data subjects:
Data subjects include the individuals about whom data is provided to Data Importer via the services by (or at the discretion of) the Data Exporter. This may include, but is not limited to, personal data relating to the Data Exporter employees and end users.
Categories of data
The personal data transferred may concern the following categories of data:
Profile data, including name, date of birth, gender, telephone number, email address, IP address and device identifiers, usage data, device data, navigation data.
Purpose of processing operations
The transfer of personal data is made for the following purposes and subject to the below processing activities, as may be further set forth in contractual agreements entered into from time to time between the Company and Customer:
Customer service activities, such as processing orders, providing technical support and improving offerings.
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES EXHIBIT
This Appendix forms part of the Clauses and describes the technical and organisational security measures implemented by the data importer.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.