Read: TBI Adds Privafy Cloud-Based Security-as-a-Service
This Data Processing Addendum (“Addendum”) forms part of all written or electronic agreements (“Agreement”) by and between the customer named at the end of this Addendum (“Customer”) and Privafy, Inc. (“Privafy”).
1. Defined Terms
In this Addendum, the following terms have the following meanings:
- “Authorized User” means a Data Subject who accesses and/or uses the Privafy Services pursuant to the Agreement.
- “CCPA” means the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 – 1798.199) and its implementing regulations (as and when finalized).
- “Controller” means the person or entity who or that determines the purpose and means of Processing of Personal Data.
- “Data Protection Law” means applicable laws relating to privacy protection in all jurisdictions where the Agreement is performed (including without implied limitation GDPR and CCPA), each as amended from time to time.
- “Data Subject” means a natural person to whom Personal Data relates, including a “consumer” as defined under CCPA.
- “GDPR” means the General Data Protection Regulation (EU 2016/679) and its implementing laws.
- “Business Purpose“ means Processing of Personal Data of Authorized Users to: (i) identify Authorized Users to enable their use of the Privafy Services; (ii), track and record support provided to or for Authorized Users; (iii) communicate with Authorized Users regarding the Privafy Services and related products and services; (iv) detect and prevent fraudulent or unauthorized use of the Privafy Services; (v) analyze and use data generated and derived from or about the operation and use of the Privafy Services for Privafy’s legitimate and lawful operational, technological development, improvement and related business purposes; and (vi) report and account for use of the Privafy Services as required or permitted by law applicable to Privafy.
- “Personal Data” has the meaning given under Data Protection Law and relates to Authorized Users.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of or access to Personal Data that requires notification to third parties pursuant to Data Protection Law.
- “Privafy Services” means the end-to-end Data-in-Motion security solutions provided by Privafy to Customer pursuant to the Agreement.
- “Process” and “Processing” (and their variants) mean any operation or set of operations performed on Personal Data.
- “Processor” means the person or entity who or that Processes Personal Data on behalf of the Controller, including a “service provider” as defined in CCPA.
Any other capitalized term used but not defined in this Addendum has the meaning given in the Agreement.
2. Data Processing Obligations
- Customer will only disclose Personal Data to Privafy to Process as necessary to perform the Agreement. Customer acknowledges and agrees that data (including Personal Data) transmitted by or on behalf of Customer through the Privafy Services is encrypted and inaccessible to Privafy unless Customer agrees in writing to permit Privafy to access the data.
- Except as set forth in Section 2c, Customer as Controller appoints Privafy as Processor to Process Personal Data on behalf of Customer for the purposes set forth in the Agreement and as otherwise instructed by Customer in writing or as required to comply with applicable law. Privafy shall have no liability for any claim arising from or related to Privafy’s Processing of Personal Data under this Addendum pursuant to Customer’s instructions.
- Privafy shall Process Personal Data for the Business Purpose as a separate and independent Controller. In no event will Customer and Privafy Process Personal Data as Joint Controllers (as such term is defined in GDPR). Each party is individually and separately responsible for complying with the obligations that apply to it as a Controller under Data Protection Law.
- Customer hereby represents to Privafy that all Personal Data provided or made available by or on behalf of Customer to Privafy for Processing in connection with the Agreement was collected by Customer and is transmitted to Privafy in accordance with Data Protection Law. Customer has obtained all necessary authorizations from each Data Subject required under Data Protection Law to enable Privafy to Process the Personal Data pursuant to the Agreement and to exercise its rights and fulfil its obligations under this Agreement.
3. Privafy as Processor
When Privafy is acting as a Processor pursuant to Section 2b, the following terms shall apply:
- Unless restricted by applicable law, Privafy shall inform Customer if, in Privafy’s reasonable judgment, Processing of Personal Data pursuant to the Agreement or Customer’s instruction conflicts or is inconsistent with Privafy’s legal obligations or Data Protection Law.
- Privafy shall ensure that all employees and agents (including sub-Processors) who or that are authorized by Privafy to Process Personal Data are subject to contractual, statutory or common law obligations of confidentiality.
- Privafy shall provide Customer with reasonable assistance with data protection impact assessments or prior consultations with a supervisory authority (as such term is defined in GDPR) that Customer is required to carry out under Data Protection Law.
- Privafy shall implement reasonable and appropriate administrative, physical and technical safeguards in relation to the Processing of Personal Data that are intended to ensure a level of security appropriate to the Personal Data Processing pursuant to the Agreement, including as applicable the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and a procedure for regularly testing, assessing and evaluating the effectiveness of its administrative, physical and technical safeguards.
- Without undue delay and within no more than forty eight (48) hours after Privafy has a reasonable degree of certainty about the occurrence of a Personal Data Breach affecting Personal Data Processed by Privafy pursuant to this Addendum, Privafy shall notify Customer of the Personal Data Breach via email to the email address associated with the Customer’s PrivafyCentral account (“Customer Notification Email”), provide such information as Customer may reasonably require to meet its obligations under applicable law with respect to the Personal Data Breach and take steps to remediate the Personal Data Breach.
- Privafy shall timely notify Customer via the Customer Notification Email if Privafy receives a valid and verifiable request from an Authorized User relating to the Processing of his or her Personal Data pursuant to the Agreement. If Privafy has access to the Personal Data that is subject to the request, Privafy shall provide Customer with reasonable assistance in responding to the request or notice.
- If Customer is subject to an information request or investigation from a competent data protection regulator, Privafy shall, when required, respond to information requests (if and to the extent Privafy has the requested information and Customer does not), provided that Customer shall pay Privafy’s reasonable costs for any assistance unless such costs are incurred due to Privafy’s breach of its obligations under this Addendum, in each case for the purpose of evidencing its compliance with this Addendum, provided that:
- Customer shall ensure that all information obtained or generated in connection with any information request, audit or inspection is kept strictly confidential other than legally-mandated disclosure to a competent data protection regulator or as otherwise required by applicable law;
- Customer shall ensure that any information request, audit or inspection shall not oblige Privafy to provide or permit access to information concerning Privafy’s internal pricing information or relating to other recipients of Privafy Services;
- If any information request or investigation relates to systems provided by or on the premises of Privafy’s sub-Processors, the scope of such information request or investigation shall be as permitted under the relevant agreement in place between Privafy and the sub-Processor; and
- Customer shall pay Privafy’s reasonable costs for Privafy’s assistance with an audit or inspection or other work undertaken pursuant to Privafy’s obligations under this Addendum unless such costs are incurred due to Privafy’s breach of its obligations under this Addendum
- Upon expiration or any earlier termination of the Agreement, Privafy shall, as set forth in the Agreement or upon Customer’s written request, delete or return to Customer all Personal Data in Privafy’s possession; provided, however, that Privafy may retain Personal Data as permitted or required to meet its obligations under applicable law. Deletion for the purposes of this sub-section 3h shall include putting Personal Data beyond further use.
- Customer hereby provides its general authorization to Privafy to appoint sub-Processors to perform the Agreement. Upon Customer’s request, Privafy shall provide a list of Privafy’s then-current sub-Processors.
- Privafy shall ensure that its sub-Processors are contractually obligated to protect Personal Data in compliance with Data Protection Law and consistent with the obligations imposed on Privafy in this Addendum. Privafy shall remain responsible for the acts and omissions of each sub-Processor, subject in each case to the terms of the Agreement.
- Privafy shall notify Customer of any addition or replacement of sub-Processors. Customer agrees that Privafy may provide notification of any such addition or replacement of sub-Processors via the Customer Notification Email. Customer must object to any change to its sub-Processors in writing within ten (10) business days after the date of the notification. If Customer and Privafy cannot mutually agree to a reasonable resolution to Customer’s objection, either party may terminate the Agreement upon written notice to the other party.
- Privafy certifies that it will not sell (as such term is defined in CCPA) Personal Data.
- Customer understands and agrees that Privafy is not liable for Customer’s failure to timely receive any duly-transmitted email sent to the Customer Notification Email pursuant to Sections 3e, 3f and 3i that was not received by Customer due to Customer’s failure to monitor or maintain as active the Customer Notification Email or technical issues outside of Privafy’s reasonable control.
4. International Transfers
Privafy, as Processor for Customer, shall transfer Personal Data outside of the European Economic Area, Switzerland, United Kingdom (as and when the United Kingdom leaves the European Union) or a country approved by the European Commission pursuant to GDPR Article 45(1) of GDPR only in compliance with Data Protection Law.
Except as amended by this Addendum, the Agreement shall remain in full force and effect. Any claims arising under this Addendum are subject to the exclusions and limitations in the Agreement. If the Agreement and this Addendum conflict, then this Addendum shall control but solely with respect to the Processing of Personal Data. This Addendum shall expire on the date on which Privafy no longer Processes Personal Data on behalf of Customer other than as needed to fulfill Privafy’s record retention obligations.