DATA PROTECTION ADDENDUM
(08-2022)
The terms of this Data Protection Addendum (“DPA” or “Addendum”) are incorporated into a Subscription Agreement and/or Evaluation Agreement between Customer and Precisely governing the Data Integrity Suite (the “Agreement”) for the DPA Term to reflect the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of all Applicable Laws, including laws, orders, rules, or regulations relating to privacy, data protection, or cyber security (as such terms are defined below).
Modifications to this Agreement: The terms of this Addendum may not be modified with respect to the Order giving rise to the Agreement to which they apply except as follows: (a)in writing and signed by both parties, (b) unless otherwise specified by Precisely, changes to this Addendum become effective upon (i) any extension of the then-current Term, or (ii) upon the Commencement Date of a new Order after the effective date of the updated version of this Addendum. Continued use of any Service after the updated version of this Addendum goes into effect as noted above will constitute Customer’s acceptance of such updated version. This DPA applies only to the extent Precisely Processes Customer Personal Data on behalf of Customer as a Data Processor (as such terms are defined below).
1. DEFINITIONS
1.1 For the purposes of this Agreement, the following terms will have the corresponding definitions:
“Authorized Affiliate” means any Customer Affiliate which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement and Order but has not signed an Order as a separate entity and is therefore not a “Customer” as defined in the Agreement.
“CCPA” means the California Consumer Privacy Act, California Civil Code sections 1798.100 et seq., and its implementing regulations, as amended or superseded from time to time.
“Customer” for the purposes of this DPA only, and except as indicated otherwise, means the entity signing this DPA together with its Authorized Affiliates.
“Customer Data” has the meaning set forth in the Agreement using the definition of Customer above.
“Customer Personal Data” means Customer Data that is Personal Data Processed by Precisely on behalf of Customer in the performance of the Services.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The term Data Controller shall include the term “Business” as that term has been defined in the CCPA.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. The term Data Processor shall include the term “Service Provider” as that term has been defined in the CCPA.
“Data Protection Laws” means all applicable country, federal, state and local law, ordinances, statute, by-law, regulation, order, regulatory policy (including any requirement or notice of any regulatory body), compulsory guidance of a regulatory body with authority over the applicable party, rule of court or directive, binding court decision or precedent, or delegated or subordinate legislation, each of the above as may be amended from time to time, that pertain to data protection and privacy. In particular, the Data Protection Laws may include (as applicable) the GDPR, CCPA and other U.S. Federal and State data privacy and security rules and regulations; and other laws that specify privacy or data protection obligations that affect the Personal Data or the provision of the Services by Customer.
“Data Subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Deidentified Data” means any Personal Data (including Customer Personal Data), which has been deidentified or aggregated such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by Precisely or any other party reasonably likely to receive or access such Personal Data.
“DPA Term” with respect to this DPA once executed in accordance with Section 1, means the duration of the Processing under this DPA with respect to an Order beginning on the Commencement Date of such Order and continuing for the duration that Precisely is Processing Customer Personal Data in connection with the Order.
“Personal Data” means any information that is about, or can be related to, an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual, natural person. Personal Data includes, not by way of limitation, direct identifiers (such as names, addresses, email addresses, phone numbers and identification numbers) but also biometric data, any and all information about an individual’s computer or mobile device or technology usage, including (for example) IP address, MAC address, unique device identifiers, unique identifiers set in cookies, and any information passively captured about a person’s online activities, browsing, application or hotspot usage or device location.
“Processing” and its derivatives, means any operation or set of operations which is performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process”, “Processes”, and “Processed” shall be construed accordingly.
“Sale” and its derivatives, means (A) selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for valuable consideration other than as for the purposes described in the Agreement (or as otherwise agreed in writing by the parties).
“SCCs” means Standard Contractual Clauses for the cross-border transfer of Personal Data to third parties located in countries where there is not an adequate level of protection under Data Protection Laws and (a) with respect to member states of the European Economic Area (“EEA”), the standard contractual clauses adopted by the European Commission as of 4-June-2021, the text of which is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN (“EU SCCs”), and (b) with respect to the United Kingdom (“UK”), the EU SCCs supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, the text of which is available at: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf (“International Data Transfer Addendum”) (together with the EU SCCs, the “UK SCCs”), including any updated, amended, or subsequent versions approved by the respective data protection authority.
“Subprocessor” means any other Processors engaged by Precisely to Process Customer Personal Data.
“Transfer” means to disclose or otherwise make Customer Personal Data available to a third-party including by physical movement of the Customer Personal Data to such third-party or by enabling remote access or by other means.
“User” has the meaning set forth in the Agreement.
1.2 In the event of any conflict or ambiguity between the provisions of this DPA, the Agreement and any Order, the conflict or ambiguity shall be resolved in the following descending order of precedence: this DPA; the Orders (with the most recent taking precedence); and the main body of the Agreement.
1.3 Terms that have been capitalized but not defined in this DPA shall have the same meaning as in the Agreement or the Data Protection Laws, as applicable.
DATA PRIVACY
2. DETAILS OF PROCESSING.
2.1 Subject matter. The subject matter of the Processing under this DPA is Customer Personal Data.
2.2 Duration. As between Precisely and Customer, the duration of the data processing under this DPA is the DPA Term.
2.3 Purpose. The purpose of the data processing under this DPA is the provision of the Services.
2.4 Nature of the processing. The Services as described in the Agreement.
2.5 Type of Customer Data. Customer Personal Data uploaded to the Services.
2.6 Categories of data subjects. The Data Subjects could include Users as well as Customer’s customers, employees, and suppliers.
3. ROLES AND RESPONSIBILITIES
3.1 Parties’ Roles. Customer, as Controller, appoints Precisely as a Data Processor to process the Customer Personal Data on Customer’s behalf.
3.2 Purpose Limitation. Precisely shall process Customer Personal Data for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Customer, unless Precisely is required to process Customer Personal Data by the Applicable Laws to which Precisely is subject to. The Customer’s instructions may be specific or of a general nature as set out in this DPA or as otherwise notified in writing by the Customer to Precisely from time to time. Precisely may refrain from complying with the Customer’s instruction if it notifies the Customer that, in Precisely’s opinion, an instruction for the processing of Customer Personal Data given by the Customer infringes Data Protection Laws. The purpose of this section is only to determine the scope and the purposes of processing of Customer Personal Data by Precisely and nothing in this DPA will be deemed an obligation of Precisely to accept any instructions of the Customer other than provided under the Agreement.
3.3 Customer Compliance. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirements to provide notice to Data Subjects of the use of Precisely as Processor. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
3.4 Sale of Personal Data. The parties acknowledge and agree that Customer does not Sell Personal Data to Precisely in connection with the Agreement and that Precisely does not Sell Customer Personal Data.
4. DATA PROCESSING
Each Party shall comply with all applicable Data Protection Laws in connection with the performance of its obligations and the exercise of its rights under this Agreement. Precisely shall cooperate as requested by Customer, and where required under Data Protection Laws, in connection with any filings, disclosures, or registrations required by data protection authorities in connection with the provision or receipt of the Services.
5. SUBPROCESSING
Customer authorizes Precisely to appoint Subprocessors in accordance with this Section 6. Precisely may continue to use those Subprocessors already engaged by Precisely prior to the DPA Term. Precisely shall give Customer notice of the appointment of any new Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor. If, within five (5) Business Days of receipt of that notice, Customer notifies Precisely in writing of any objections (on reasonable grounds) to the proposed appointment: (a) Precisely shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and (b) where: (i) such a change cannot be made within thirty (30) business days from Precisely’s receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, notwithstanding anything in the Agreement, either party may by written notice to the other party with immediate effect terminate the Agreement either in whole or to the extent that it relates to the Services which require the use of the proposed Subprocessor. With respect to each Subprocessor, Precisely shall: (a) before the Subprocessor first Processes Customer Personal Data (or, as soon as reasonably practicable), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by this Addendum; and (b) ensure that the arrangement between Precisely and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this Addendum. Precisely shall be liable for the acts and omissions of its Subprocessors to the same extent Precisely would be liable if performing the services of each Subprocessor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
6. TRANSFERS OF PERSONAL DATA AND THE SCCs
6.1 Precisely may Transfer the Personal Data across any national borders or permit remote access to Customer Personal Data from any employee, contingent worker, affiliate, Subprocessor or other third party outside of the country, and Customer hereby consents to the Transfer of Customer Personal Data, provided such Transfer complies with the provisions of this Addendum and Data Protection Laws, including but not limited to the requirement to ensure an adequate level of data protection while transferring Customer Personal Data.
6.2 With regard to Transfers of Customer Personal Data from the EEA, Precisely will conduct the transfers of Customer Personal Data pursuant to the EU SCCs. With regard to Transfers of Customer Personal Data from the UK, Precisely will conduct the transfers of Customer Personal Data pursuant to the UK SCCs.
6.3 For each applicable version of the SCCs between Precisely and Customer: (a) Customer and Precisely are deemed to have executed the SCCs as of the start of the DPA Term; and (b) Precisely is the “data importer” and Customer is the “data exporter.”
6.4 In the event that EU or UK authorities or courts determine that the Transfer mechanism selected above is no longer an appropriate basis for Transfers, Precisely and Customer shall promptly take steps reasonably necessary to demonstrate adequate protection for the Customer Personal Data, using another approved mechanism. Customer understands and agrees that Precisely may terminate the Transfers as needed to comply with Data Protection Laws.
6.5 Precisely shall, where legally permissible, advise Customer of any US-based governmental requests for access to Customer Personal Data (“US Data Requests”), and advise Customer of any EU-EEA based governmental requests for access to Customer Personal Data (“EU-EEA Data Requests”) or UK based governmental requests for access to Customer Personal Data (“UK Data Requests”) and work with Customer so that Customer may object to such US Data Requests, EU-EEA Data Requests, or UK Data Requests. For the avoidance of doubt, Customer understands that Precisely advising Customer of US Data Requests, EU-EEA Data Requests or UK Data Requests may not always be legally permissible.
7. COOPERATION
With regard to Customer Personal Data as required under Data Protection Laws, Precisely shall provide reasonable assistance to Customer at Customer’s sole cost and expense to respond to (i) data protection impact assessments and prior consultations with data protection authorities; (ii) data subject requests to exercise rights; and (iii) inquiries or complaints received from a Data Subject, regulator, or other third party.
8. DELETION/RETURN OF CUSTOMER PERSONAL DATA
Upon the termination of the Agreement for any reason, or at any time upon Customer’s written request, Precisely shall make the Customer Personal Data accessible for download or return to Customer and/or securely delete or destroy, in accordance with Data Protection Laws, all originals and copies of Customer Personal Data, except to the extent otherwise required by the Agreement, this Addendum or any Data Protection Laws. Upon written request by Customer, Precisely shall promptly provide to Customer a written confirmation that all Customer Personal Data has been returned to Customer or securely destroyed in accordance with the Agreement and this Addendum. Notwithstanding the foregoing, Precisely may retain Customer Personal Data in accordance with Precisely’s records management and digital archival back-up policies (“Records Management Policy”) Provided such Customer Personal Data is destroyed in due course in accordance with the Records Management Policy and applicable Data Protection Laws.
9. DEIDENTIFIED DATA
Precisely may freely use and disclose Deidentified Data for Precisely’s own business purposes without restriction.
10. AUDITS
Following Customer’s written request, and subject to the confidentiality obligations set forth in the Agreement, Precisely shall make available to Customer information regarding Precisely’s compliance with the obligations set forth in this DPA in the form of third-party certifications and audits, to the extent that Precisely makes them generally available to its customers. Customer may reasonably request in writing an on-site audit of the procedures relevant to the protection of Personal Data. Customer shall reimburse Precisely for any time expended for any such on-site audit at Precisely’s then-current professional services rates, which shall be made available to Customer
upon request. Before the commencement of any such on-site audit, Customer and Precisely shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Precisely. Customer shall promptly notify Precisely and provide information about any actual or suspected non-compliance discovered during an audit. The provision in this section shall by no means derogate from or materially alter the provisions on audits as specified in the SCCs.
11. REPORTS
Precisely shall make available to Customer, on written request, such information as reasonably appropriate under the circumstances to demonstrate Precisely’s compliance with the above Data Privacy provisions relating to the Processing of Customer Personal Data.
GENERAL TERMS
12. ENTIRE AGREEMENT
This DPA and the Agreement, where referenced, contain the entire agreement regarding the data of the Services and supersede any other data protection/privacy agreements and communications between the parties concerning the Processing by Precisely of Customer Data (including Customer Personal Data) in connection with the Services. In the event and to the extent of a conflict between this Addendum and the Agreement, this Addendum shall control with respect to that conflict. In the event and to the extent of a conflict between this Addendum and the SCCs, the SCCs shall control with respect to that conflict.
13. LIMITATION OF LIABILITY AND INDEMNITY
The total combined liability of either party towards the other party, whether in contract, tort or under any other theory of liability, shall be limited as set forth in the Agreement and references to the liability of a party shall apply to liability arising under or in connection with this DPA in the aggregate with the Agreement.
14. THIRD PARTY RIGHTS
This DPA shall not confer any rights or remedies to any other person or entity other than the Parties except as to enable the Data Protection Law rights of Data Subjects of Customer Personal Data under this DPA.
15. AMENDMENT
This DPA may not be modified, amended, or changed except in writing and as agreed by and executed by the Parties.
16. CHOICE OF LAW
This Addendum and the rights and obligations contained in it or otherwise arising between the Parties will be governed by and construed in accordance with the laws of the State of New York, without regard to any choice of law or conflicts of law principles.
17. TERMINATION
Customer shall have the right to terminate this DPA upon written notice to Precisely.