Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum ("Addendum") forms part of the Master Software and Services Terms (the “Agreement”) between ComplianceMetrix and you and applies only to the extent required by Data Protection Laws with regard to the relevant Your Personal Data, if applicable.

  • DEFINITIONS. The terms used in this Addendum shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
  • Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either you or ComplianceMetrix respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
  • CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations, each as may be amended or replaced from time to time.
  • "Data Protection Laws" means, with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Your Personal Data, including, where applicable, European Data Protection Laws and the CCPA.
  • Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
  • European Data Protection Laws” means, in each case to the extent applicable: (a) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time, (“GDPR”); (b) the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and renamed by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the UK's Data Protection Act 2018 (collectively, the “UK GDPR”); (c) the Swiss Federal Act on Data Protection (“Swiss FDPA”); and (d) any other data protection laws of the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this Addendum.
  • Personal Data” means “personal data”, “personal information”, “personally identifiable information”, or similar information defined in and governed by Data Protection Laws.
  • Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Security Incident” means a breach of ComplianceMetrix’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Your Personal Data in ComplianceMetrix’s possession, custody, or control. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Your Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
  • Services” means the ComplianceMetrix Service, the Professional Services, and any such other services that ComplianceMetrix has agreed to provide to you under the Agreement.
  • Standard Contractual Clauses means, as applicable, Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) of the standard contractual clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (currently available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1688587744942), as supplemented or modified by Section 13.2 of this Addendum.
  • "Subprocessor" means any third party or ComplianceMetrix Affiliate appointed by ComplianceMetrix to Process Your Personal Data.
  • Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
  • "Your Personal Data" means any Personal Data within Your Data that is Processed by ComplianceMetrix to perform the Services under the Agreement. For purposes of this Addendum, Your Personal Data does not include Aggregated Data or Personal Data of employees or other of your representatives with whom ComplianceMetrix has a direct business relationship.

 

  • ROLES OF THE PARTIES. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Your Personal Data under the Agreement, you are a Controller and ComplianceMetrix is a Processor. In some circumstances, the parties acknowledge that you may be acting as a Processor to a third-party Controller in respect of Your Personal Data, in which case ComplianceMetrix will remain a Processor with respect to you in such event.  Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Your Personal Data.
  • PROCESSING OF YOUR PERSONAL DATA. ComplianceMetrix will not Process Your Personal Data other than on your documented instructions unless otherwise required by applicable law, in which case ComplianceMetrix will inform you of such Processing unless notification is prohibited by applicable law. For the avoidance of doubt, the Agreement, this Addendum, and any related order form shall constitute documented instructions for the purposes of this Addendum. You acknowledge and agree that such instruction authorizes ComplianceMetrix to Process Your Personal Data (a) to perform its obligations and exercise its rights under the Agreement; (b) perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement; (c) pursuant to any other written instructions given by you and acknowledged in writing by ComplianceMetrix as constituting instructions for purposes of this Addendum; and (d) as reasonably necessary for the proper management and administration of ComplianceMetrix’s business. You shall be responsible for: (1) giving adequate notice and making all appropriate disclosures to Data Subjects regarding your use and disclosure and ComplianceMetrix’s Processing of Your Personal Data; and (2) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose Your Personal Data to ComplianceMetrix and to permit the Processing of Your Personal Data by ComplianceMetrix for the purposes of performing ComplianceMetrix’s obligations under the Agreement or as may be required by Data Protection Laws. You shall notify ComplianceMetrix of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Your Personal Data that would impact ComplianceMetrix’s ability to comply with the Agreement, this Addendum, or applicable Data Protection Laws.
  • DETAILS OF PROCESSING. The parties acknowledge and agree that: (a) the subject matter of the Processing under the Agreement is ComplianceMetrix’s provision of the Services; (b) the duration of the Processing is from ComplianceMetrix’s receipt of Your Personal Data until deletion of all Your Personal Data by ComplianceMetrix in accordance with the Agreement and this Addendum; (c) the nature of the Processing involves those activities reasonably required to facilitate or support the provision of the Services; (d) the purpose of the Processing includes performing the Services as described in the Agreement and carrying out the instructions set forth in Section 3 of this Addendum, helping to ensure security and integrity, debugging to identify and repair errors that impair existing intended functionality, undertaking internal research for technological development and demonstration, and undertaking activities to verify or maintain the quality or safety of the Services and to improve, upgrade, or enhance same; (d) the Data Subjects to whom the Processing pertains shall be as contemplated or related to the Processing described in the Agreement and may include your employees, contractors, consultants, franchisees, customers, prospective customers, business partners, and your other contacts; and (e) the categories of Your Personal Data are such categories as you are authorized to provide or submit under the Agreement.
  • PROCESSING SUBJECT TO THE CCPA. As used in this Section 5, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Your Personal Data. ComplianceMetrix will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between you and ComplianceMetrix; or (c) combine Personal Information received from, or on behalf of, you with Personal Data received from or on behalf of any third party, or collected from ComplianceMetrix’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA. ComplianceMetrix hereby certifies that it understands the foregoing restrictions under this Section 5 and will comply with them. The parties acknowledge that the Personal Information disclosed by you to ComplianceMetrix is provided to ComplianceMetrix only for the limited and specified purposes of providing the Services as further described in Section 4 of this Addendum. ComplianceMetrix will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. You have the right to take reasonable and appropriate steps to help ensure that ComplianceMetrix uses the Personal Information transferred in a manner consistent with your obligations under the CCPA by exercising your audit rights in Section 12 of this Addendum.  ComplianceMetrix will notify you if it makes a determination that it can no longer meet its obligations under the CCPA. If ComplianceMetrix notifies you of unauthorized use of Personal Information, including under the foregoing sentence, you will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with ComplianceMetrix, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing.
  • CONFIDENTIALITY. ComplianceMetrix shall take reasonable steps to ensure that ComplianceMetrix personnel that Process Your Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
  • SECURITY. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ComplianceMetrix shall in relation to Your Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with the standards and policies available at https://trust.cmx1.com/
  • SUBPROCESSORS. You generally authorize ComplianceMetrix to engage third parties (including ComplianceMetrix Affiliates) as Subprocessors as ComplianceMetrix considers reasonably appropriate for the Processing of Your Personal Data in connection with providing the Services under the Agreement. You hereby approve ComplianceMetrix’s Subprocessors, which can be found at https://trust.cmx1.com/ ("Subprocessor List"), including their functions and locations. Subprocessors may be updated by ComplianceMetrix from time to time in accordance with this Section by updating the Subprocessor List. ComplianceMetrix shall notify you of the addition or replacement of any such Subprocessor and you may, on reasonable data protection grounds, object to a Subprocessor by notifying ComplianceMetrix in writing within ten (10) days of receipt of ComplianceMetrix's notification, giving reasons for you objection. Upon receiving such objection, ComplianceMetrix shall: (1) work with you in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and (2) where ComplianceMetrix informs you that such change cannot be made, you may by written notice to ComplianceMetrix with immediate effect terminate the portion of the Agreement or relevant order form to the extent that it relates to the Services which require the use of the proposed Subprocessor. This termination right is your sole and exclusive remedy to your objection of any Subprocessor appointed by ComplianceMetrix. ComplianceMetrix shall require all Subprocessors to enter into an agreement with equivalent effect to the Processing terms contained in this Addendum. ComplianceMetrix shall remain fully liable for compliance with the obligations of this Addendum and for any acts and omissions of each Subprocessor that cause ComplianceMetrix to breach any of its obligations hereunder.

  • DATA SUBJECT RIGHTS. If ComplianceMetrix receives a request from a Data Subject under any Data Protection Laws in respect to Your Personal Data, ComplianceMetrix will advise the Data Subject to submit the request to you and you will be responsible for responding to any such request. ComplianceMetrix will (taking into account the nature of the Processing of Your Personal Data) provide you with self-service functionality through the Services or other reasonable assistance as necessary for you to perform your obligations under Data Protection Laws to fulfill requests by Data Subjects to exercise their rights under Data Protection Laws, provided that ComplianceMetrix may charge you on a time and materials basis in the event that ComplianceMetrix considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.

  • SECURITY INCIDENTS. If ComplianceMetrix becomes aware of Security Incident, ComplianceMetrix will notify you without undue delay after becoming aware of the Security Incident. Such notification may be delivered to an email address provided by you or by direct communication (for example, by phone call or an in-person meeting). You are solely responsible for ensuring that the appropriate notification contact details are current and valid. ComplianceMetrix will take reasonable steps to (a) identify the cause of such Security Incident, minimize harm, and prevent a recurrence, and (b) provide you with information available to ComplianceMetrix that you may reasonably require to comply with your obligations under Data Protection Laws. ComplianceMetrix’s notification of or response to a Security Incident under this Section 10 will not be construed as an acknowledgement by ComplianceMetrix of any fault or liability with respect to the Security Incident.
  • ASSESSMENTS AND PRIOR CONSULTATIONS. In the event that Data Protection Law requires you to conduct a privacy impact assessment or transfer impact assessment, or requires assistance with any prior consultations to any Supervisory Authority, following your written request, ComplianceMetrix shall use commercially reasonable efforts to provide relevant information and assistance for you to fulfil such request, taking into account the nature of ComplianceMetrix’s Processing of Your Personal Data and the information available to ComplianceMEtrix. ComplianceMetrix reserves the right to charge you on a time and materials basis in the event that ComplianceMetrix considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.

  • RELEVANT RECORDS AND AUDIT RIGHTS
  • Review of Information and Records. ComplianceMetrix shall make available to you on request, but not more than once per calendar year and subject to the confidentiality obligations of the Agreement, all information reasonably necessary to demonstrate ComplianceMetrix’s compliance with this Addendum. 
  • Audits. During the term of the Agreement, and subject to your request submitted through our interactive webform available at https://trust.cmx1.com/, if available, ComplianceMetrix will provide a copy of its most recent SOC Type II report or similar industry certification or any successor standards (“Report”) for information security management. If the Report is not dated within a year of your request or otherwise not available, or if you require information for your compliance with Data Protection Laws in addition to the information provided by the Report or under Section 12.1 above, ComplianceMetrix will allow for and contribute to reasonable assessments and audits, including inspections, by you or an auditor mandated by you, not being competitors of ComplianceMetrix ("Mandated Auditor"), provided that: (a) audits may only occur during normal business hours, and where possible only after reasonable notice to ComplianceMetrix (not less than 20 days' advance written notice); (b) audits will be conducted in a manner that does not have any adverse impact on ComplianceMetrix's normal business operations; (c) you or any Mandated Auditor will comply with ComplianceMetrix's standard safety, confidentiality, and security procedures in conducting any such audits; (d) any records, data, or information accessed by you or any Mandated Auditor in the performance of any such audit will be deemed to be the Confidential Information of ComplianceMetrix; and (e) you may initiate such audit not more than once per calendar year unless otherwise required by a Supervisory Authority or Data Protection Laws. ComplianceMetrix shall promptly inform you if, in its opinion, a request infringes the Data Protection Laws or any other confidentially obligations with ComplianceMetrix’s other customers. To the extent any such audit incurs in excess of 20 hours of ComplianceMetrix personnel time, ComplianceMetrix reserves the right to charge you on a time and materials basis for any such excess hours.  
  • DATA TRANSFERS.
  • Data Processing Facilities. ComplianceMetrix may, subject to Section 13.2 of this Addendum, Process Your Personal Data in the United States or anywhere ComplianceMetrix or its Subprocessors maintains facilities. Subject to ComplianceMetrix’s obligations in this Section 13, you are responsible for ensuring that your use of the Services comply with any cross-border data transfer restrictions of European Data Protection Laws.
  • Standard Contractual Clauses. In the event that you transfer Your Personal Data subject to European Data Protection Laws to ComplianceMetrix in a country which has not been recognized as providing an adequate level of protection for Your Personal Data within the meaning of applicable European Data Protection Laws, and no lawful alternative basis, mechanism, or framework for such transfer of Your Personal Data applies, such transfer will be governed by the Standard Contractual Clauses, the terms of which are hereby incorporated into this Addendum. In furtherance of the foregoing, the parties agree that: (a)(i) if you are acting as the Controller with respect to Your Personal Data, “Module Two: Transfer controller to processor” shall apply; and/or (ii) if you are acting as a Processor to an Affiliate or other party with respect to Your Personal Data, “Module Three: Transfer processor to processor” shall apply; (b) the execution of the Agreement shall constitute execution of the applicable Standard Contractual Clauses as of the Effective Date of the Agreement; and (c) the Standard Contractual Clauses shall automatically terminate once the Your Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis. The parties further agree that the Standard Contractual Clauses shall be modified as follows:
  • The parties agree to the following selections in Sections I-IV of the Standard Contractual Clauses: (a) the parties select Option 2 in Clause 9(a) and the specified time period shall be the notification time period set forth in Section 8 of this Addendum; (b) the optional language in Clause 11(a) is omitted; (c) the parties select Option 1 in Clause 17 and the governing law of the Republic of Ireland will apply; and (d) in Clause 18(b), the parties select the courts of the Republic of Ireland.
  • The name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Agreement and this Addendum shall be used to complete Annex I.A. of the Standard Contractual Clauses. The information set forth in Section 4 of this Addendum (Details of Processing) shall be used to complete Annex I.B. of the Standard Contractual Clauses, and the frequency of the transfer shall be on a continuous basis for the term of the Agreement, the period for which the Your Personal Data will be retained by ComplianceMetrix will be as set forth in the Agreement and the Addendum, and any onward transfers to Subprocessors will be for the same subject matter, nature, and duration as set forth in Section 4 and this paragraph. The competent supervisory authority in Annex I.C. of the Standard Contractual Clauses shall be the relevant supervisory authority determined by Clause 13 and the GDPR, unless otherwise set forth in Sections 13.3 or 13.4 of this Addendum. If such determination is not clear, then the competent supervisory authority shall be the Irish Data Protection Authority.  The technical and organizational measures in Annex II of the Standard Contractual Clauses shall be the measures set forth at in accordance with the standards and policies available at https://trust.cmx1.com/.
  • In accordance with Clause 2 of the Standard Contractual Clauses, the parties wish to supplement the Standard Contractual Clauses with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. The parties therefore agree that the applicable terms of the Agreement and this Addendum shall apply if, and to the extent that, they are permitted under the Standard Contractual Clauses, including without limitation the provisions pertaining to audits, limitation of liability, and termination.
  • Transfers from the United Kingdom. If you transfer Your Personal Data to ComplianceMetrix that is subject to UK GDPR, the parties acknowledge and agree that: (a) the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it may be revised from time to time by the Information Commissioner’s Office (the “UK Addendum”) shall be incorporated by reference herein; (b) the UK Addendum shall apply to and modify the Standard Contractual Clauses solely to the extent that UK GDPR applies to your Processing when making the transfer; (c) the information required to be set forth in “Part 1: Tables” of the UK Addendum shall be completed using the information provided as set forth in Section 13.2 and this Addendum; and (d) either party may end the UK Addendum in accordance with section 19 thereof.
  • Transfers from Switzerland. If you transfer Your Personal Data to ComplianceMetrix that is subject to the Swiss FADP, the following modifications shall apply to the Standard Contractual Clauses to the extent that the Swiss FADP applies to your Processing when making that transfer: (a) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (b) the Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised Swiss FADP; (c) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the Swiss FADP; and (d) the parties agree that the supervisory authority as indicated in Annex I.C of the Standard Contractual Clauses shall be the Swiss Federal Data Protection and Information Commissioner.
  • Other Jurisdictions. If you transfer Your Personal Data to ComplianceMetrix that is subject to Data Protection Laws other than European Data Protection Laws which require the parties to enter into standard contractual clauses to ensure the protection of the transferred Your Personal Data, and the transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then the parties agree that the applicable terms of any standard contractual clauses approved or adopted by the relevant Supervisory Authority pursuant to such Data Protection Laws shall automatically apply to such transfer and, where applicable, shall be completed on a mutatis mutandis basis to the completion of the Standard Contractual Clauses as described in Section 13.2.
  • DELETION OR RETURN OF YOUR PERSONAL DATA. Unless otherwise required by applicable law, following termination or expiration of the Agreement, ComplianceMetrix shall, at your option, delete or return all Your Personal Data and all copies to you.
  • GENERAL TERMS. This Addendum will, notwithstanding the expiration or termination of the Agreement, remain in effect until, and automatically expire upon, ComplianceMetrix’s deletion of all Your Personal Data. Except as expressly modified by this Addendum, the terms of the Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement in relation to the Processing of Your Personal Data, this Addendum will govern. Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.