DATA PROCESSING ADDENDUM
This Data Processing Addendum along with the exhibits thereto (collectively referred to as “DPA”) supplements the agreement signed by and between TrustedIQ Ltd (“TrustedIQ”) and the Customer (“Agreement”) and is incorporated by reference.
This DPA contains terms to ensure that adequate safeguards are in place with respect to the protection of Personal Data to be processed by TrustedIQ pursuant to the Agreement, as required by the Applicable Data Protection Laws. Any terms not defined in this DPA shall have the meaning set forth in the Agreement. Except as modified below, this DPA automatically expires upon deletion of all Personal Data as described herein.
THIS DATA PROCESSING ADDENDUM will take effect as of the Effective Date of the Agreement, between Customer and TrustedIQ.
1. Definitions
1.1. The following expressions are used in this DPA:
(a) "Non-Adequate Country" means a country or territory that is not recognized under the GDPR or the UK GDPR, as applicable, as providing adequate protection for personal data;
(b) "Data Protection Laws" means any applicable local, national or international laws, rules and regulations related to privacy, security, data protection, and/or the processing of Personal Information, as amended, replaced or superseded from time to time, including but not limited to EU/UK Data Protection Laws and United States Data Protection Laws;
(c) EU/UK Data Protection Laws” means the GDPR and the UK GDPR and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them;
(d) "GDPR" means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);
(e) "Personal Data" means all data which is defined and regulated as ‘Personal Data’ in the EU Data Protection Laws and which is provided by Customer to TrustedIQ or accessed, stored or otherwise processed by TrustedIQ in connection with the Services;
(f) "UK GDPR" means the United Kingdom General Data Protection Regulation;
(g) "United States Data Protection Laws" means any United States’ state or federal data protection law as such law may be amended, replaced, or consolidated from time to time;
(h) "processing", "data controller", "data subject", "supervisory authority" and "data processor" will have the meanings ascribed to them in the UK GDPR.
2. Status of the parties
2.1 The Agreement(s) determines the subject matter and the duration of TrustedIQ’s processing of Personal Data, as well as the nature and purpose of any collection, use and other processing of Personal Data (collectively, the “Particulars”) and the rights and obligations of Customer. Appendix 1 to the Standard Contractual Clauses specifies the Particulars and will apply to all processing of Personal Data subject to this DPA, regardless of whether such processing is subject to Section 8 of this DPA.
2.2 As between the parties, Customer is solely responsible for obtaining, and represents and covenants that it has obtained and will obtain, all necessary consents, licenses and approvals for the processing, or otherwise has a valid legal basis under Data Protection Laws for the Processing of any Personal Data as part of the Services (the “Customer Legal Basis Assurance”). Each of Customer and TrustedIQ warrant in relation to Personal Data that it will comply with (and will ensure that any of its staff and/or subcontractors comply with) the Data Protection Laws; provided, however, that TrustedIQ’s warranty is subject to Customer Legal Basis Assurance. Each of Customer and TrustedIQ agree that it shall notify the other immediately if it determines that it can no longer meet its obligations under applicable Data Protection Laws or this DPA.
2.3 In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that Customer is the Data Controller and TrustedIQ is the Data Processor and accordingly TrustedIQ agrees that it will process all Personal Data in accordance with its obligations pursuant to this DPA.
2.4 Each of TrustedIQ and Customer will notify to each other of one or more individuals within its organisation authorised to respond from time to time to enquiries regarding Personal Data and each of TrustedIQ and Customer will deal with such enquiries promptly.
3. General Obligations Relating to the Processing of Personal Data
3.1 With respect to all Personal Data, TrustedIQ agrees that it will:
(a) only process the Personal Data in order to provide the Services and will act only in accordance with this Agreement and Customer's written instructions. The terms of the Agreement and this DPA constitute the Customer’s written instructions to TrustedIQ in relation to the processing of personal data. For the avoidance of doubt, the Customer can issue further instructions for processing at any time;
(b) in the unlikely event that applicable law requires TrustedIQ to process Personal Data other than pursuant to Customer's instructions, immediately notify Customer (unless prohibited from so doing by applicable law);
(c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular, protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data in TrustedIQ’s possession or under its control. Such measures include the security measures specified in TrustedIQ’s information security policies;
(d) ensure that its personnel have access to such Personal Data only as necessary to perform the Services in accordance with the Agreement and this DPA, and that any persons whom it authorises to have access to the Personal Data are under obligations of confidentiality and will adhere with the Agreement and this DPA;
(e) without delay after becoming aware and in any case within forty-eight (48) hours, notify Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data in TrustedIQ’s possession or under its control (including when transmitted, stored or otherwise processed by TrustedIQ) (a "Security Breach");
(f) taking into account the nature of the processing, promptly provide Customer with reasonable cooperation and assistance in respect of the Security Breach and information in TrustedIQ's possession concerning the Security Breach, including, to the extent known to TrustedIQ, the following:
(i) the nature of the Security Breach;
(ii) the categories and approximate number of data subjects concerned;
(iii) the categories and approximate number of Personal Data records concerned;
(iv) the likely consequences of the Security Breach;
(v) a summary of the unauthorised recipients of the Personal Data; and
(vi) the measures taken or proposed to be taken by TrustedIQ to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects;
(g) Insofar as a Security Breach relates to Customer, TrustedIQ will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Security Breach or disclosure request which directly or indirectly identifies Customer (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Customer’s prior written approval, unless, and solely to the extent that, TrustedIQ is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, TrustedIQ shall provide Customer with reasonable prior written notice to provide Customer with the opportunity to object to such disclosure and in any case, TrustedIQ shall limit the disclosure to the minimum scope required.
(h) return or delete Customer’s Personal Data within thirty (30) days of termination or expiration of the Term, save where otherwise agreed with the Customer. TrustedIQ shall comply with all directions provided by Customer with respect to the return or disposal of Personal Data. This requirement shall not apply to the extent TrustedIQ is required by any applicable law to retain some or all of the Personal Data, in which event TrustedIQ shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
(i) assist Customer when reasonably requested in relation to Customer’s obligations under Data Protection Laws with respect to:
(i) data protection impact assessments (as such term is defined in the applicable Data Protection Laws);
(ii) subject access requests;
(iii) notifications to the supervisory authority/regulators under applicable Data Protection Laws and/or communications to data subjects by Customer in response to any Security Breach; and
(iv) Customer’s compliance with its obligations under applicable Data Protection Laws with respect to the security of processing.
(j) assist Customer by appropriate technical and organizational measures, insofar as this is possible, to respond to data subjects’ requests to exercise their rights under applicable Data Protection Laws. TrustedIQ will promptly notify Customer of requests received by TrustedIQ, unless otherwise required by applicable law. TrustedIQ will not make changes to such Personal Data except as agreed in writing with Customer.
4. Obligations Relating to the Processing of Personal Data subject to EU/UK laws
4.1 With respect to all Personal Data subject to EU/UK Data Protection Laws, TrustedIQ agrees that it will:
(a) as soon as possible after becoming aware, inform Customer if, in TrustedIQ's opinion, any instructions provided by Customer under Clause 3.1(a) infringe the GDPR or UK GDPR;
(b) maintain records of its processing activities as required by EU/UK Data Protection Laws and to demonstrate its compliance with this DPA and make such records available to the applicable supervisory authority and/or the Customer upon request.
5. Obligations Relating to the Processing of Personal Data subject to United States Data Protection Laws
5.1 With respect to all Personal Data subject to United States Data Protection Laws, TrustedIQ agrees that it will:
(a) not share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another person or entity for: (a) monetary or other valuable consideration; or (b) cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
(b) not retain, use, or disclose Personal Data for any purpose (including any commercial purpose) other than for the specific purpose of TrustedIQ’s provision of Services and in accordance with this DPA.
(c) not combine Personal Data with personal data it receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject.
5.2 TrustedIQ agrees that the terms "Aggregate Consumer Information", “Service Provider”, “Approved Business Purpose” and "De-identified" will have the meanings ascribed to them in Cal. Civ. Code §1798.140, as that code section may be amended or replaced from time to time, and that TrustedIQ will process such Personal Data accordingly.
5.3 In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that TrustedIQ is a Service Provider.
5.4 Notwithstanding the foregoing, and for the purpose of addressing other prospective data protection laws, TrustedIQ shall not process any Personal Data (regardless of where that individual resides) other than for a) the specific purpose of TrustedIQ’s performance of its Services or b) an Approved Business Purpose.
5.5 Subject to TrustedIQ’s compliance with this DPA, Customer agrees to make Personal Data available to TrustedIQ for the limited and specified purpose of providing the Services. Customer reserves the right to take reasonable and appropriate steps to help ensure that TrustedIQ processes Personal Data in a manner consistent with Customer’s obligations under United States Data Protection Laws, including without limitation the right, upon notice, to stop and remediate any unauthorized processing of Personal Data.
6. Sub-processing
6.1 Customer authorises TrustedIQ to appoint sub-processors in accordance with this Section 6. TrustedIQ publishes a list of its sub-processors here
6.2 When any new sub-processor is engaged, TrustedIQ will add them to the Sub-processor List. TrustedIQ will give Customer prior written notice of any changes to the Sub-processor List, including full details of the processing to be undertaken by that respective Sub-processor, giving Customer fourteen (14) days to object upon reasonable data protection grounds by providing written notice of such objection to TrustedIQ.
6.3 If Customer objects to the authorisation of any future sub-processor on reasonable data protection grounds within fourteen (14) days of notification of the proposed authorisation, TrustedIQ will use its reasonable efforts to provide an alternative or workaround to avoid processing of Personal Data by the objected-to sub-processor to the satisfaction of Customer within a reasonable period of time.
6.4 TrustedIQ will require its sub-processors to comply with terms that provide substantially the same protection of Personal Data as those imposed on TrustedIQ in the Agreement and this DPA. TrustedIQ will be liable for all the acts and omissions of its sub-processors in relation to the Agreement and this DPA.
7. Audit and records
7.1 TrustedIQ will, in accordance with applicable Data Protection Laws, make available to Customer such information in TrustedIQ's possession or control as Customer may reasonably request with a view to demonstrating TrustedIQ's compliance with the obligations of data processors under applicable Data Protection Law in relation to its processing of Personal Data.
7.2 TrustedIQ shall allow for and contribute to audits, including inspections, by Customer, or a third-party auditor mandated by Customer, in order to assess TrustedIQ’s compliance with this DPA and Data Protection Laws. Such audits may be undertaken no more than once in a twelve (12) month period by providing TrustedIQ with reasonable notice. Customer shall reimburse TrustedIQ for any time expended for any such on-site audit at TrustedIQ’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and TrustedIQ shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible.
8. Data transfers
8.1 Customer will ensure that Customer and Customer’s authorised users are entitled to transfer the Personal Data to TrustedIQ so that TrustedIQ, and its sub-processors, may lawfully process the Personal Data in accordance with this DPA.
8.2 The Customer acknowledges that the provision of the Services under the Agreement may require the processing of Personal Data by sub-processors in countries outside the UK and EE, including in the United States.
8.3 Insofar as the Agreement involves the transfer of Personal Data from the EEA to a Non-Adequate Country, the parties agree to comply with the Standard Contractual Clauses – Module 2, incorporated by reference in Exhibit 1.
8.4 Insofar as the Agreement involves the transfer of Personal Data from the UK to a Non-Adequate Country, the parties agree to comply with the Controller-Processor UK Standard Contractual Clauses, incorporated by reference in Exhibit 2.
8.5 In the event that the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction and/or the analogous competent authority in the EEA or United Kingdom revises and thereafter publishes new Standard Contractual Clauses or as otherwise required or implemented by such authority, such new Standard Contractual Clauses will supersede and replace the existing Standard Contractual Clauses. If such revision or publication requires that this DPA be adjusted to accommodate new or changing requirements, the parties agree to promptly negotiate in good faith to amend this DPA.
8.6 Except as covered or permitted by the Standard Contractual Clauses, applicable law, or a country in respect of which a valid adequacy decision has been issued by the European Commission, as the case may be, TrustedIQ shall not process Personal Data outside the European Economic Area or the United Kingdom without the express written consent of the Customer.
9. General
9.1 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. This DPA is incorporated into and made a part of the Agreement by this reference. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail so far as the subject matter concerns the processing of Personal Data.
9.2 Customer and TrustedIQ each agree that the governing law and venue provisions in the Agreement apply to this DPA.
Exhibit 1
Standard Contractual Clauses - Controller to Processor
The parties hereby agree that they will comply with the EU Standard Contractual Clauses: Module 2, which are incorporated herein by reference, a copy of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. The parties agree that the following terms apply:
1. Clause 7: The parties have chosen not to include Clause 7.
2. Clause 9(a): The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least fourteen (14) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
3. Clause 11(a): The parties do not incorporate the optional language allowing a data subject to lodge a complaint with an independent dispute resolution body at no cost to the data subject.
4. Clause 13(a):
[Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27 ( 1 ) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27 ( 1 ) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
5. Clause 17: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.
6. Clause 18(b): The parties agree that those shall be the courts of the Republic of Ireland.
ANNEX I
A. LIST OF PARTIES
1. Data exporter(s): Refer to Signatories of the Agreement
Signature and date: Refer to Signatories of the Agreement
Role (controller/processor): Controller
2. Data importer(s): TrustedIQ Ltd
Signature and date: Refer to Signatories of the Agreement
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Data subjects: The Personal Data transferred concerns the following categories of data subjects:
Customer’s employees, customers
Categories of Personal Data: As part of the Services, TrustedIQ processes the following information:
Personal Data of Customer’s users (“User Data”)
- Username
- Name
- Email address
Personal Data of Customer’s contacts (“Contact Data”)
- Name
- Phone number
- Email address
- Company name
- Job Title
Special categories of data (if appropriate):
Contractual and Business Information:
Agreement Details: Contract numbers, start and end dates, renewal terms, termination conditions.
Financial Information: Pricing terms, discounts, payment terms, tax details, total amounts.
Scope of Services: Products/services descriptions, service levels, delivery schedules.
Order Details: Product/service identifiers, quantities, delivery dates, order numbers.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous basis
Nature of the processing:
As described in the Agreement(s)
Purpose(s) of the data transfer and further processing:
As described in the Agreement(s)
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
For the duration of the relevant Agreement(s) and Order Form(s)
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The same as the Data Importer
Processing operations:
As described in the Agreement(s)
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13.
[Where the data exporter is established in an EU Member State: The supervisory authority of the Member State in which the representative within the meaning of Article 27 ( 1 ) of Regulation (EU) 2016/679 is established.]
[Where the data exporter is not established in an EU Member State, it appoints the following representative supervisory authority pursuant to Article 27 ( 1 ) of Regulation (EU) 2016/679:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland]
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The Data Importer currently abides by the security standards in this Annex. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the applicable Services Agreement.
Hosting Infrastructure
Infrastructure. The Data Importer hosts its services in geographically distributed, secure data centers operated by Amazon Web Services (AWS).
Redundancy. The services are replicated across multiple data centers within a geographic region to eliminate single points of failure using an active/passive configuration in order to minimize the impact of environmental risks.
Monitoring. The services are protected by automated monitoring which is designed to detect a variety of failure conditions, and which will, when appropriate, trigger failover mechanisms.
Backups. Backups are performed on a regular basis and stored in a secondary site within the same geographic region.
Business Continuity. The Data Importer replicates its service and data over multiple data centers within a geographic region to protect against loss of service or data. The Data Importer conducts periodic tests of failover and data backup procedures to ensure readiness for business continuity and disaster recovery.
Networks & Transmission
Network Data Transmission. Interactions between users, administrators and Data Importer modules are done using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols.
Network Security. The Data Importer employs multiple layers of DOS protection, Intrusion Detection, Rate Limiting and other network security services from both its hosting providers and third-party providers.
Encryption Technologies. The Data Importer makes HTTPS encryption (also referred to as SSL or TLS connection) available.
Policies and Procedures
Policies. The Data Importer has written, approved policies governing Account Management, Acceptable Use, Data Retention, Employee Code of Conduct, Encryption, Incident Response, Information Sensitivity, Use of Mobile Devices, Password Protection, Patch Management and Risk Management.
Procedures. The Data Importer has written and approved procedures for Data Breach Notification, Change Management, Communication, Disaster Recovery, DoS Response, System Backup and Recovery, and Monitoring.
Security Response. The Data Importer monitors a variety of communication channels for security incidents, and the Data Importer’s security personnel are required to react promptly to known incidents.
Access Controls
Access Procedures. The Data Importer maintains formal access procedures for allowing its personnel access to the production service and components involved in building the production service. Only authorized employees are allowed access to these restricted components and all access is approved by an employee’s manager and service owner. Only a small number of individuals are approved to access the restricted components. Audit records are maintained to indicate who has access to restricted components.
Access Mechanisms. Access to the Data Importer’s production service and build infrastructure occurs only over a secured channel and requires two-factor authentication.
Logging. Access to the Data Importer’s production service and build infrastructure is done using unique IDs and is logged.
Infrastructure Security Personnel. The Data Importer maintains several security policies governing its personnel. The Data Importer’s infrastructure security personnel are responsible for the ongoing monitoring of the Data Importer’s security infrastructure, the review of the Services, and responding to security incidents.
Data Protection
In Transit. Interactions between users, administrators and TrustedIQ modules are done using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols.
At Rest. The Data Importer uses cryptographic hashing and encryption mechanisms to protect sensitive information such as cryptographic keys and application secrets.
Redundancy. The Data Importer stores data in a multi-tenant environment within the Data Importer’s hosted infrastructure. The data and service are replicated across multiple hosted datacenters within the same geographic region.
Data Isolation. The Data Importer logically isolates the Data Exporter’s data, and the Data Exporter has a large degree of control over the specific data stored in the Service.
Data Deletion. The Data Importer provides to the Data Exporter a mechanism that can be used to delete the Data Exporter’s data.
Software Code Review. The Data Importer employs a code review process to improve the security of the code used to provide the Services. All changes to the service are reviewed and approved by a senior engineer other than the author of the change.
Automated testing. Each software build is subjected to a comprehensive suite of automated tests. Security Scan. The Data Importer employs a third party to scan the Service for security vulnerabilities on a periodic basis.
Sub-processor Security. Prior to onboarding sub-processors that will handle any data provided by a Data Exporter, the Data Importer conducts an assessment of the security and privacy practices of the sub-processor to help ensure that the sub-processor provides a level of security and data protection controls appropriate to their access to data and the scope of the services they are engaged to provide.
Data Privacy Office. The Data Privacy Office of the Data Importer can be contacted by the Data Exporter’s administrators by emailing security@TrustedIQ.com (or via such other means as may be provided by the Data Importer).
Staff Conduct and Security
Staff Conduct. The Data Importer personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, usage, compliance and professional standards.
ANNEX III – AMENDMENTS TO ENABLE THE TRANSFER OF DATA FROM SWITZERLAND TO A THIRD COUNTRY
Pursuant to the FDPIC’s guidance titled “The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts,” dated 27 August 2021, the parties are adopting the GDPR standard for all data transfers under the FADP and under the GDPR. To the extent personal data is transferred outside of Switzerland to a country with an inadequate level of data protection, the following amendments to the Standard Contractual Clauses provided for in this Schedule 2 shall apply:
1. Annex I.C: The competent supervisory authority shall be the FDPIC, insofar as the data transfer is governed by the FADP; and shall be the EU authority referenced in Annex I.C insofar as the data transfer is governed by the GDPR.
2. The term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
3. The Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised FADP.
Exhibit 2
The parties hereby agree that they will comply with the UK Standard Contractual Clauses: Controller to Processor, which are incorporated herein by reference, a copy of which can be found on the Information Commissioner’s Office’s website (ico.org.uk). You can also request a copy of the relevant clauses from security@TrustedIQ.com.
For the avoidance of doubt, the parties agree to all clauses in the UK Standard Contractual Clauses, regardless of whether such clauses are reproduced in this Exhibit 2. The parties agree that the following terms apply:
1. Clause 9: The Clauses shall be governed by the law of the Member State in which the data exporter is established.
2. Clause 11 ( 3 ): The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
3. Appendix 1: As set out in Exhibit I(Annex I.B)
4. Appendix 2: As set out in the Agreement(s).