Data Processing Agreement
This SimplicityDX (SDX) Data Processing Agreement, including its appendices, (“DPA”) establishes minimum data protection standards for SDX in connection with its performance of services for Company pursuant to the SimplicityDX, Inc. Software-as-a-Service Agreement (the “Agreement”). This DPA is incorporated as part of the Agreement. Terms not defined in Appendix 1 of this DPA shall have the meaning given in the Agreement. Unless otherwise stated in the Agreement, in the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall govern.
1. Roles of the Parties. With respect to PII Processed by SDX in connection with the Online Services, the parties acknowledge and agree that the Customer is a Data Controller and SDX is a Data Processor.
2. Instructions. Customer will disclose PII to SDX for the specific purposes outlined in the Agreement or any other written Processing instructions from Customer, as further described in Section 2 of Appendix 1. SDX shall only Process PII pursuant to such written directions from the Customer. SDX shall immediately inform the Customer if, in SDX’s opinion, a direction or instruction from the Customer infringes applicable Data Protection Law or if SDX determines it cannot meet its obligations under the CCPA. With respect to SDX’s Processing in accordance with the CCPA, SDX will not, unless as may otherwise be permitted for a Service Provider, (i) Sell or Share PII; (ii) retain, use, or disclose PII (a) other than for a Business Purpose under the CCPA on behalf of Customer and the specific purposes set out in Section 2 of Appendix 1, unless otherwise permitted under the CCPA, or (b) outside of the direct business relationship between SDX and Customer; or (iii) combine PII with personal information that SDX (a) receives from or on behalf of a third party or (b) collects from its own interactions with a Data Subject.
3. Compliance. SDX shall comply with Data Protection Law and provide the level of privacy protections required by such laws.
4. Security. SDX shall implement appropriate technical and organizational measures designed to provide a level of security appropriate to the risks presented by Processing, including, but not limited to those measures set forth in Appendix 2.
5. Data Subject Requests. SDX shall promptly notify Customer of any request by a Data Subject to exercise rights under Data Protection Law such as to access, rectify, amend, correct, port, delete or cease Processing his or her PII. SDX shall provide assistance to Customer as reasonably necessary for Customer to meet its obligations in respect of Data Subject rights under Data Protection Law, provided that Customer must inform SDX of any request by a Data Subject that SDX must comply with and provide SDX with the information necessary to comply with such request.
6. Data Protection Assessments; Consultation. SDX shall provide assistance to Customer as may be reasonably requested in performing, where required by Data Protection Law, a data protection assessment and in consulting with competent supervisory authorities.
7. Governmental Requests. SDX shall promptly notify Customer of any notices, requests for information, or orders received from governmental authorities in relation to the PII or its Processing of such PII, unless prohibited by law. SDX shall not respond to such communication directly without the Customer’s prior authorization, unless legally compelled to do so. SDX shall work at the direction of the Customer to respond (or promptly provide reasonable assistance for Customer to respond) to such notices, requests for information, or orders from governmental or data protection authorities.
8. Personnel Confidentiality. SDX will subject each of its personnel to enforceable confidentiality obligations that apply to PII.
9. Audit and Intervention. Upon reasonable notice, SDX will (i) provide Customer with all relevant information necessary to demonstrate compliance with this DPA and Data Protection Law and (ii) allow Customer or another independent third-party auditor mandated by Customer to audit compliance with this DPA, at Customer’s expense. Upon reasonable notice, if Customer reasonably believes that SDX is engaged in unauthorized Processing, then Customer may instruct SDX to take reasonable and appropriate steps to stop and/or remediate the unauthorized Processing.
10. Personal Data Breaches. User Replay will notify Customer, without undue delay, upon discovering a Personal Data Breach, in which case SDX shall (i) as part of such notification describe the nature of the incident and, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of PII records concerned, and explain the impact of such Personal Data Breach upon Customer and the Data Subjects whose PII is affected by such Personal Data Breach; (ii) in no case delay notification because of insufficient information but instead provide and supplement notifications as information becomes available; and (iii) in cooperation with Customer, use its best efforts to investigate such Personal Data Breach and take necessary and appropriate corrective action to remedy such breach and prevent a recurrence of such breach. To the extent necessary and reasonably requested by Customer, SDX will, at Customer’s expense, assist Customer with its required notification obligations under Data Protection Law. “Personal Data Breach” shall include analogous variations of that term (including without limitation “Breach of the Security of the System,” “Security Breach,” “Breach of Security,” and “Breach of System Security”), each having the meaning ascribed to it in Data Protection Law.
11. Subprocessing. If SDX subcontracts or assigns any of its obligations with respect to the Processing of PII to a Subprocessor, SDX will (i) ensure that each Subprocessor has entered into a written agreement imposing obligations no less protective than those included in this DPA; (ii) perform appropriate due diligence to reasonably determine that each Subprocessor can perform as necessary for SDX to meet its obligations under this DPA; and (iii) remain fully responsible for the acts or omissions of the Subprocessor’s employees, agents, and subcontractors in the same manner as for its own acts or omissions. Customer authorizes SDX to engage the Subprocessors identified in Appendix 1 to Process PII. SDX will notify Customer in advance and in writing of any new Subprocessor that SDX proposes to engage. Customer will have thirty (30) days from receiving such notice to object to SDX’s engagement of the new Subprocessor. If Customer does not object within this period, SDX may permit the Subprocessor to Process PII. If Customer reasonably objects to z SDX’s change of Subprocessor, Customer shall be entitled to terminate the Agreement with immediate effect in the event SDX does not take into consideration Customer’s objections.
12. Disposal or Return. SDX shall retain PII only for as long as necessary for Processing in accordance with the instructions set out in Section 2 or as permitted by applicable law. Upon termination or expiration of the Agreement or as otherwise instructed by Customer (or such later date if SDX is required by applicable law to retain the PII), SDX shall in accordance with the Customer’s instructions: (i) return to Customer a copy of the PII it Processed in connection with the Agreement, in a form and format reasonably agreed upon by the parties; or (ii) securely dispose of the PII (including all copies) in its possession or control that it Processed in connection with the Agreement.
13. Data Transfers
(a) Applicability of the Standard Contractual Clauses (2021). Where SDX Processes PII as a Processor in a Third Country, with respect to 2021 SCC Relevant Transfers, the Standard Contractual Clauses (2021) are incorporated herein by reference and shall apply between SDX and Customer as follows:
i. SDX is the data importer and Customer is the data exporter;
ii. The Standard Contractual Clauses (2021) shall constitute a separate agreement between each Customer acting as a data exporter and SDX acting as data importer.
iii. Where the Restricted Country in which the Customer is Established, or from where the PII originated, is not a member state of the EU, then: (1) references in the Standard Contractual Clauses (2021) to “EU,” “Union,” “EU Member State,” or “Member State” shall refer instead to that Restricted Country; (2) references to “Regulation (EU) 2016/679” or “that Regulation” shall refer instead to the Data Protection Laws of that Restricted Country and references to specific provisions or articles of GDPR shall be replaced with the equivalent provision or article of the Restricted Country’s Data Protection Law; (3) “supervisory authority” shall refer to the data protection authority in that Restricted Country; and (4) references to the “Clauses” means this Section 13 as it incorporates the Clauses.
iv. Where the data exporter and the data importer are directed to select a module, Module Two (Transfer controller to processor) shall apply.
v. For the purposes of Section I, Clause 7, the optional docking clause applies.
vi. For the purposes of Section II, Clause 8.1, the instructions to data importer shall be instructions to Process PII in accordance with the terms of this DPA.
vii. For the purposes of Section II, Clause 8.5, the data importer’s storage, erasure and return of PII shall be construed by reference to the terms of this DPA.
viii. For the purposes of Section II, Clause 9, option 2 (general written authorisation) applies and the data importer’s ability to engage Subprocessors shall otherwise be construed by reference to the terms of this DPA.
ix. For purposes of Section II, Clause 11, the optional language does not apply.
x. For the purposes of Section IV, Clauses 17 and 18, the parties agree that their respective obligations under the Standard Contractual Clauses (2021) shall be governed by the laws of and subject to the jurisdiction of the courts of the country in which the Customer is located.
xi. Annex I, Part A (List of parties) is completed with the details of Customer (as data exporter) and the details of SDX (as data importer), as provided in the Agreement.
xii. For the purposes of Annex I, Part B (Description of the transfer) and Annex II (Technical and organisational measures, including technical and organisational measures to ensure the security of the data) of the Standard Contractual Clauses (2021), the description of the transfers and list of Subprocessors shall be set out in Appendix 1 and technical and organisational measures shall be as set out in Appendix 2 of this DPA.
xiii. For the purposes of Annex I, Part C (Competent Supervisory Authority), the parties elect the data protection authority of country in which the Customer is located. For the avoidance of doubt, the Parties acknowledge and agree that, where the Data Protection Law of the Restricted Country governs the transfer of PII, a competent supervisory authority outside the EU may be entitled to concurrent jurisdiction.
xiv. In the event of any inconsistency or conflict between the Standard Contractual Clauses (2021) and this Section 13, the provisions shall be construed in the manner that affords the greatest protections to Data Subjects.
(b) Applicability of the Standard Contractual Clauses (2010). Where SDX Processes PII as a Processor in a Third Country, with respect to any transfer from a Restricted Country that is not a 2021 SCC Relevant Transfer, the Standard Contractual Clauses (2010) are incorporated herein by reference and shall apply between SDXand Customer as follows:
i. References to “member state” shall be deemed to be references to the Restricted Country and references to Articles within Directive 95/46/EC shall be deemed to be references to the nearest equivalent provisions of the Restricted Country’s Data Protection Law.
ii. For the purposes of Clauses 9 and 11(3) of the Standard Contractual Clauses (2010), the governing law shall be the law of the Restricted Country.
iii. Appendix 1 of the Standard Contractual Clauses (2010) is completed with the information set out in Appendix 1 to this DPA.
iv. Appendix 2 of the Standard Contractual Clauses (2010) is completed with the information set out in Appendix 2 to this DPA.
v. The optional indemnification clause shall not apply.
(c) Application of Law. The parties intend for this DPA to be read and interpreted consistent with the provisions of applicable Data Protection Laws, and to fulfill the intention to provide appropriate safeguards for transfers of PII from Restricted Countries. This DPA shall not be interpreted in a way that conflicts with rights and obligations provided for in applicable Data Protection Laws.
(d) Invalidation of Transfer. In the event that any competent legal authority holds that a data transfer mechanism relied on by the parties is invalid, or any competent supervisory authority or applicable law requires transfers of PII to be supported by additional measures, suspended, or restricted to a specific jurisdiction, then the Customer may, at its discretion, require SDX to cease Processing PII or co-operate with the Customer to facilitate use of an alternative data transfer mechanism, execute additional documents, apply additional protections, or restrict Processing to certain jurisdictions.
14. Order of Precedence and Interpretation
(a) In case of any inconsistency, conflict, or ambiguity among the terms the parties have agreed upon, the documents shall govern in the following order: (i) the Standard Contractual Clauses, if applicable; (ii) this DPA; and (iii) the Agreement.
(b) For the avoidance of doubt, claims made under this DPA shall be subject to any limitation of liability terms contained in the Agreement, if any.
15. Governing Law
Unless otherwise required by the Standard Contractual Clauses or other data transfer requirements, this DPA will be subject to the governing law of, and subject to the jurisdiction’s provisions, identified in the Agreement without giving effect to conflict of laws principles.
APPENDIX 1: DEFINITIONS AND DETAILS OF PROCESSING
For purposes of this DPA, the following terms will have the following meanings:
(a) “2021 SCC Relevant Transfer” means a transfer of PII to a Third Country of PII that is subject to the GDPR, or to applicable Data Protection Law where any required legal mechanism or adequacy standard necessary to support the transfer can be met by entering into the Standard Contractual Clauses (2021);
(b) “CCPA” means the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, and any implementing regulations.
(c) “Data Controller” means a person or entity which, alone or jointly with others, determines the purposes and means of the Processing of PII;
(d) “Data Processor” means a person or entity which Processes PII on behalf of the Data Controller;
(e) “Data Protection Law” means any federal, state, provincial, local, municipal, foreign, international, multinational or other constitution, law, statute, treaty, rule, regulation, ordinance, code, and guidance issued by regulatory authorities competent to interpret or enforce the same, relating to processing PII, privacy, data protection (the protection of PII), or cybersecurity, as may be amended from time to time, including without limitation the CCPA, each only when applicable to SDX’s Processing;
(f) “Data Subject” means the individual to whom PII relates;
(g) “Data Subject Request” means a request by a Data Subject for information, access, rectification, erasure, restriction, portability, objection, do-not-sell, deletion, and any other similar requests;
(h) “Established” means the effective and real exercising of activity through stable arrangements and “Establishment” refers to such stable arrangement;
(i) “EU” means the European Union;
(j) “PII” means any information relating to an identified or identifiable natural person including any information defined as “personally identifiable information,” “personal information,” “personal data” or similar terms as such terms are defined under Data Protection Laws, limited to that PII SDX Processes in connection with the provision of the Online Services to Customer;
(k) “Process” or “Processing” means any operation or set of operations performed upon PII, whether or not by automatic means, including the collection, recording, organization, structuring, storage, adaption or alteration, consultation, use, disclosure by transmission, transfer, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of PII;
(l) “Restricted Country” means any country which restricts the transfer of PII to another country not deemed adequate to receive such PII;
(m) “Sensitive PII” shall mean PII revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; sex life or sexual orientation; the Processing of genetic data, biometric data for the purpose of uniquely identifying a Data Subject; PII relating to criminal convictions and offences or related security measures; government-issued identification number; account credentials; financial account numbers including payment card numbers; precise geolocation data; contents of communications not directed to SDX or Customer; and such subsets of PII that are deemed “sensitive” or require enhanced protections under applicable Data Protection Laws;
(n) “Standard Contractual Clauses” means, collectively, the Standard Contractual Clauses (2010) and the Standard Contractual Clauses (2021);
(o) “Standard Contractual Clauses (2010)” means the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC adopted by the European Commission decision of 5 February 2010 C(2010) 593, available at EUR-Lex - 32010D0087 - EN - EUR-Lex (europa.eu);
(p) “Standard Contractual Clauses (2021)” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021 C(2021) 3972, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en;
(q) “Subprocessor” means a person or entity which Processes PII on behalf of a Processor; and
(r) “Third Country” means a country not deemed adequate to receive PII under the Data Protection Law of the applicable Restricted Country.
(s) The terms “Business,” “Consumer,” “Service Provider,” “Sell,” “Share,” and “Business Purpose” as used in this DPA will have the meanings ascribed to them in the CCPA.
(t) References in this DPA to “Data Controller,” “Data Subject,” and “Data Processor” include “Business,” “Consumer,” and “Service Provider,” respectively.
2. Details of Processing
The details of the Processing of PII carried out by SDX as a Data Processor are as follows:
(a) Data Subjects: SDX will Process PII relating to the following Data Subjects: visitors to Customer’s website.
(b) Categories of PII: SDX will Process the following categories of PII: the activity of visitors to Customer’s website that is collected by Customer using the Online Services. Customer shall immediately inform SDX if it intends to use the Online Services to collect any Sensitive PII.
(c) Frequency of Transfer: SDX is located in and the Online Services are hosted from the United States. As such, PII will be transferred on an ongoing or regular basis.
(d) Subject matter, nature and purpose of the Processing operations: SDX will Process PII for the purpose of providing the Online Services, and for such other purposes as may be described in the Agreement or instructions of the Customer.
(e) Duration of Processing (the period for which the PII will be retained, or, if that is not possible, the criteria used to determine that period): SDX will Process the PII only for as long as the Online Services are provided under the Agreement or such longer period as required by applicable law.
APPENDIX 2: TECHNICAL AND ORGANIZATIONAL MEASURES FOR THE STANDARD CONTRACTUAL CLAUSES
With respect to Annex II of the Standard Contractual Clauses, SDX shall apply the following technical and organizational measures. These safeguards are without prejudice to the measures required by the DPA, which shall take precedence to the extent they require SDX to implement more protective measures:
1. Strong encryption of PII in transit and at rest, as applicable, that meets industry best practices, is robust against cryptanalysis, is not susceptible to interference or unauthorized access, and for which key access is limited to specific authorized individuals with a need to access PII in order to engage in Processing or, wherever practicable, such key access is limited solely to the exporter;
2. Wherever practicable with respect to Processing, pseudonymization sufficient to cause PII to no longer be attributable to a specific individual, provided safeguards are in place to prevent reidentification and the algorithmic process or key to re-establish identity is held only by the data exporter;
3. If agreed by the Parties, or as otherwise practicable, physical locations in which Sensitive PII are Processed will be limited to the applicable Restricted Country or countries deemed adequate to receive such PII under the Data Protection Laws of the applicable Restricted Country;
4. Access restrictions and procedures, including unique user identification, to limit Processing to authorized SDX workforce and devices authorized explicitly by SDX through proper separation of duties, role-based access, on a need-to-know and least privilege basis;
5. Multi-factor authentication and use of a virtual private network for any remote access to SDX systems or PII;
6. Physical security procedures, including the use of monitoring 24 hours /7 days a week, access controls and logs of access, and measures sufficient to prevent physical intrusions to any SDX facility where PII is Processed;
7. Secure disposal of equipment and physical and electronic media that contain PII;
8. Ongoing vulnerability identification, management and remediation of systems including applications, databases, and operating systems used by SDX to Process PII;
9. Logging and monitoring to include security events, all critical assets that Process PII, and system components that perform security functions for SDX’s network (e.g., firewalls, IDS/IPS, authentication servers) intended to identify actual or attempted access by unauthorized individuals and anomalous behavior by authenticated users;
10. Monitoring, detecting, and restricting the flows of PII on a multi-layered basis, including but not limited to the use of network segmentation, secure configuration of firewalls, intrusion detection and/or prevention systems, denial of service protections;
11. Remote work procedures that require “clean desk” standards in place and a remote work management program that limits use to only devices authorized pursuant to SDX’s security program;
12. Data protection program elements, such as technical measures or documented procedures, to address data minimization and limited retention, data quality, and implementation of data subject rights, appropriate to the nature of the Processing and the Online Services;
13. Appropriate IT governance processes that address risk management, system configuration, and process assurance, including regular and periodic testing and evaluation of the sufficiency of SDX’s data protection program and technical controls;
14. Business continuity and disaster recovery plans intended to ensure integrity, resiliency, and availability of SDX systems and PII, as well as timely restoration of access to PII; and
15. SDX shall, at the request of data exporter, promptly provide a copy of its most recent SDXSOC2 Type II report, PCI Attestation of Compliance and/or industry certification such as ISO/IEC 27001 or any successor standards for information security management. If SDX does not hold such certification, it must conduct, at its own expense no less than annually, an independent third-party audit of SDX’s security program and systems, and facilities used to Process PII, with a detailed summary of the report to be provided to data exporter.