DATA PROCESSING ADDENDUM
Revised October 17, 2024.
This Data Processing Addendum is by and between Client (“Controller”) and Eze Castle Software LLC or its applicable affiliate (“Eze” or “Processor”) and is issued pursuant to and is governed by the terms and conditions of the governing agreement between the parties (“Agreement”), except as otherwise provided in this Data Processing Addendum. Notwithstanding anything in the applicable order (the “Order”) to the Agreement to the contrary, in the event of a conflict between the terms and conditions of this Data Processing Addendum and the Order, the terms and conditions of this Data Processing Addendum shall control. Capitalized terms not otherwise defined in this Data Processing Addendum shall have the meanings given to them in the Order. This Data Processing Addendum shall be effective as of the Effective Date of the Order.
WHEREAS, Controller has engaged Processor to provide software applications and services as set forth in the Order by and between Processor and Controller dated on or about the date hereof;
WHEREAS, notwithstanding anything in the Order to the contrary, Processor may receive Personal Data (as defined below) from Controller (such Personal Data, “Controller Personal Data”) in connection with the performance of Processor’s obligations under the Order; and
WHEREAS, Controller and Processor wish to ensure that processing of Controller Personal Data by Processor is governed by a binding agreement between Controller and Processor.
NOW THEREFORE, for and in consideration of the mutual promises and covenants set forth herein, Processor and Controller hereby agree to supplement the Order in relation to data protection subject to the express terms and conditions of this Data Processing Addendum as follows:
1. TERMS AND CONDITIONS. This Data Processing Addendum shall apply if and to the extent Processor receives and processes Controller Personal Data in connection with the performance of its obligations under the Order.
2. DEFINITIONS; INTERPRETATION. Capitalized terms used but not defined herein have the meanings given to such terms in the Order; provided, however, that for the purposes of this Data Processing Addendum. This Data Processing Addendum applies to personal data as defined under applicable laws as set forth in this addendum.
2.1. “EU GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, including any applicable data protection legislation or regulations or standard contractual clauses supplementing it in those jurisdictions in which relevant services are provided to Controller by Processor from time to time. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Processing", have the meanings given in Article 4 (Definitions) of GDPR, and the corresponding terms in the Swiss Data Protection Laws, as applicable. “Personal Data” includes EU Personal Data, UK Personal Data and Swiss Personal Data;
2.2. “EU Personal Data” means any personal data to the extent that EU GDPR applies to the processing of such personal data or the extent that a data subject is a resident of the EU or the EEA.
2.3. “Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection of 19 June 1992, as revised on 25 September 2020 by the Swiss Federal Act on Data Protection 2020, in effect as of 1 September 2023.
2.4. “GDPR” means the EU GDPR and the UK GDPR, as applicable.
2.5. “UK GDPR” means the Data Protection Act 2018 and the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, in each case, to the extent applicable to Processor in the provision of services under the Order.
2.6. “UK Personal Data” means any personal data to the extent that UK GDPR applies to the processing of such personal data or the extent that a data subject is a resident of the UK.
2.7. “Swiss Personal Data” means any personal data to the extent that Swiss Data Protection Laws applies to the processing of such personal data or the extent that a data subject is a resident of Switzerland.
3. GDPR. For the purposes of GDPR, Eze and Client agree that, with regard to Controller Personal Data, Eze is the Processor and Client is the Controller and as such are subject to the relevant applicable provisions of GDPR.
3.1. Processing Instructions. For the purposes of this Data Processing Addendum, Controller and Processor agree that Controller is the Controller of Controller Personal Data and Processor is the Processor of Controller Personal Data, except where Controller acts as a Processor of Controller Personal Data, in which case Processor is a sub-processor. Controller hereby instructs Processor to Process Controller Personal Data as a Processor on behalf of Controller in any of the ways contemplated in, and for the purposes of carrying out any of the terms of, the Order and any purposes ancillary thereto.
3.2. Processor’s Obligations as Processor of Controller Personal Data. Processor will:
3.2.1. comply with its applicable obligations as a Processor under GDPR, including those requirements set out in Articles 28 (Processor), 29 (Processing under the authority of the controller or processor), 31 (Cooperation with the supervisory authority) and 32 (Security of processing) of GDPR in each case taking into account the nature of processing and the information available to Processor;
3.2.2. Process Controller Personal Data only on lawful documented instructions from Controller, to carry out Processor obligations under, or as otherwise permitted pursuant to the terms of, the Order or to comply with applicable law, including GDPR, including with regard to transfers of Controller Personal Data (if any) to a third country or an international organization, unless required to do so by Union or Member State law to which Processor is subject; in such a case, Processor shall inform Controller of that legal requirement before Processing Controller Personal Data, unless that law prohibits disclosure of such information on important grounds of public interest;
3.2.3. ensure that any person authorized to Process Controller Personal Data is subject to confidentiality obligations substantially similar to, and no less protective than, those set forth in the Order;
3.2.4. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk as required pursuant to Article 32 of the GDPR, in each case taking into account the nature of processing and the information available to Processor;
3.2.5. taking into account the nature of the Processing of Controller Personal Data and the information available to Processor, provide reasonable assistance to Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR;
3.2.6. provide reasonable assistance to Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of Processing of Controller Personal Data and the information available to Processor;
3.2.7. at the choice of Controller, delete or return all Controller Personal Data to Controller after the end of the provision of the services relating to the Processing of Controller Personal Data under the Order, and delete existing copies, provided that Processor shall be entitled to retain Controller Personal Data as required by applicable law or Processor relevant policies;
3.2.8. at Controller’s request and upon reasonable notice and access arrangements agreed in writing, make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this Data Processing Addendum and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller; and
3.2.9. if Processor receives a request from Controller’s Data Subject to exercise one or more of such Data Subject’s rights under the GDPR, notify Controller of such request and/or redirect such Data Subject to make its request directly to Controller.
3.3. Sub-Processing
3.3.1. To the extent necessary to fulfill Processor contractual duties and obligations under the Order or this Data Processing Addendum and subject to the terms set out in the Order and this Data Processing Addendum, Controller hereby grants to Processor a general authorization to delegate some or all services under the Order to one or more of its affiliates or other persons (and Controller’s consent to the delegation shall not be unreasonably revoked or withheld in respect of changes); provided that such persons are selected in good faith and with reasonable care and are supervised and monitored by Processor. If Processor delegates any services under the Order, such delegation shall not relieve Processor of its duties and obligations thereunder (and in respect of Personal Data, shall be subject to a written agreement obliging the delegate or agent to comply with the relevant delegated duties and obligations of Processor under this Data Processing Addendum).
3.3.2. Processor has specifically identified such agents and the services delegated to Controller (and will update Controller when making any material changes) in a commercially reasonable time frame in sufficient detail to provide transparency and enable Controller to object to a particular arrangement.
3.4. International Data Transfers
3.4.1. Processor only transfers Personal Data to its affiliates where that transfer complies with the requirements under Chapter V of GDPR, including, where applicable, as a result of a data transfer agreement containing the relevant Standard Contractual Clauses, which may be used for the transfer of personal data outside of the European Economic Area, Switzerland, the UK (in accordance with the UK Addendum to the extent required under UK GDPR) and any other jurisdictions that accepts the Standard Contractual Clauses as appropriate safeguards under applicable data protection laws. For the purpose of this section 3.4.1, “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, as set out in the Annex to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (or any subsequent clauses that may amend or supersede such standard contractual clauses) and the “UK Addendum” means the UK Addendum to the Standard Contractual Clauses published by the UK supervisory authority, the Information Commissioner’s Office and effective 21 March 2022 (or any revised UK Addendum as may be issued by the Information Commissioner’s Office).
3.4.2. To the extent required (A) under GDPR in relation to the transfer of Personal Data outside of the EEA (in the case of EU Personal Data) or the UK (in the case of UK Personal Data), (B) under Swiss Data Protection laws in relation to the transfer of Personal Data outside Switzerland, and (C) in relation to the transfer of Personal Data from any other jurisdiction to third countries where such jurisdiction accepts the Standard Contractual Clauses as appropriate safeguards under applicable data protection laws; and to the extent GDPR and/or Swiss Data Protection Laws apply to the transfer of personal data from Client as Controller where Client is either: (I) established in the EU, the UK and/or Switzerland; or (II) established outside the EU, the UK and/or Switzerland and subject to Art 3.2 of GDPR to Eze as Processor where Eze is established outside the EU, the UK and/or Switzerland and not subject to Art 3.2 of GDPR and where such transfer in the receipt and/or provision of Services under the Order constitutes an international data transfer for the purposes of the UK GDPR, the EU GDPR and/or Swiss Data Protection Laws:
i. The parties agree to incorporate into the Order the Standard Contractual Clauses and UK Addendum (as such term is defined in this Data Processing Addendum whereby Client on one hand is the “data exporter” and Controller and Eze on the other hand is the “data importer” and Processor;
ii. The parties also agree to incorporate into the Order the Standard Contractual Clauses for the transfer of personal data outside of Switzerland (subject to Appendix B.2 attached to this Data Processing Addendum) whereby Client on one hand is the “data exporter” and Controller and Eze on the other hand is the “data importer” and Processor,
iii. With respect to the Standard Contractual Clauses incorporated into the Order by reference:
a) The “competent supervisory authority” is the supervisory authority in Ireland with respect to transfers for EU GDPR purposes, and the Information Commissioner in the UK with respect to transfers for UK GDPR purposes,
b) the footnotes, Clause 9(a) Option 1, Clause 11(a) Option and Clause 17 Option 2 are omitted,
c) the time period in Clause 9(a) Option 2 is 30 days,
d) Module Two Transfer controller to processor applies and Modules One, Three and Four are omitted, the content of Exhibit A shall constitute the content of the required corresponding annexes to the Standard Contractual Clauses,
e) the Standard Contractual Clauses are governed by the law of Ireland with respect to transfers for EU GDPR purposes, and the law of England and Wales with respect to transfers for UK GDPR purposes,
f) any dispute arising from the Standard Contractual Clauses will be resolved by the courts of Ireland and if there is any conflict between the terms of the Order and the Standard Contractual Clauses in relation to data protection, the Standard Contractual Clauses will prevail, provided that it is acknowledged and agreed by Client that any Losses (as defined in the Order) arising in connection with breaches of Personal Data processing, including, but not limited to, claims for breach of the Standard Contractual Clauses - Module Two Transfer controller to processor, to the extent incorporated into this Order pursuant to this section 3.4.2 (each a “Data Protection Breach”) shall be subject to the applicable liability-related provisions of the Order, provided that nothing in this Order shall exclude the liability of either party related to a Data Protection Breach which cannot be limited or excluded under GDPR, to the extent applicable to Client on one hand and Eze on the other hand.
3.5. Personal Data Breach Notification.
3.5.1. Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach involving Controller Personal Data and provide reasonable assistance to Client in its notification of that personal data breach to the relevant supervisory authority and those data subjects affected as set out in Articles 33 (Notification of a personal data breach to the supervisory authority) and 34 (Communication of a personal data breach to the data subject) of GDPR.
3.5.2. Controller is responsible for making notifications related to a Personal Data Breach that are required by applicable law.
3.6. Controller Obligations. Controller agrees that it shall comply at all times with its applicable obligations as a Controller under GDPR, including those set out in this Data Processing Addendum. Controller acknowledges and agrees to be solely responsible for complying with all necessary transparency and lawfulness requirements as needed pursuant to applicable data protection law(s) including GDPR, including obtaining any necessary consents or authorizations in relation to the Processing of Personal Data outside the EU (in the case of EU Personal Data), the UK (in the case of UK Personal Data) for GDPR compliance purposes and Switzerland for compliance purposes with Swiss Data Protection Laws. An up-to-date list of the data importer’s sub-processors and their jurisdictions for Eze Castle Software LLC is available at https://www.ezesoft.com/sub-processors. The point of contact for questions regarding sub-processors for Eze Castle Software LLC is EZE-privacy@sscinc.com.
4. CALIFORNIA DATA PROTECTION. To the extent Controller Personal Data by Processor in the provision of services under the Order is subject to CCPA (as defined in Appendix C to this Data Protection Addendum), such processing shall be subject to the terms set out in Appendix C to this Data Processing Addendum.5. BRAZIL DATA PROTECTION. To the extent Controller Personal Data by Processor in the provision of services under the Order is subject to LGPD (as defined in Appendix D to this Data Protection Addendum), such processing shall be subject to the terms set out in Appendix D to this Data Processing Addendum.
6. MISCELLANEOUS. This Data Protection Addendum supplements the Order in relation to data protection, and for all terms of the Order not specifically modified by this Data Processing Addendum remain in full force and effect as set forth in the Order, provided that, for the avoidance of doubt, the terms it is acknowledged and agreed by Client that the terms of the Order relating to limitations and exclusions of liability shall govern this Data Processing Addendum.
7. GOVERNING LAW. This Data Processing Addendum shall be governed by the laws of the jurisdiction specified in the Order except as expressly set forth otherwise in this Data Processing Addendum.
Appendix A to Data Processing Addendum
Information Relating to the Processing of Personal Data
|
Subject matter of Processing |
Personal Data, if any, transferred by Eze or otherwise obtained by Eze or its affiliates as processor in connection with the Services under the Order. |
|
Duration of Processing |
The term of this Order and, if applicable, after the termination of this Order, to the extent required by applicable GDPR, or as agreed between the parties in writing. |
|
Nature and purpose of Processing |
Processing of Personal Data, if any, which may include special categories of personal data, for the purposes of the Services provided under the Order. |
|
Types of Personal Data |
Information relating to identified or identifiable natural persons, such as name, work landline phone number, work mobile, work email address. |
|
Categories of data subjects |
Natural persons connected with Client business, such as Client customers or Client directors, members, agents or representatives, employees, partners, shareholders, and beneficial owners. |
|
Technical and organizational measures including technical and organizational measures to ensure the security of the Personal Data |
Eze has adopted a defense-in-depth approach in line with industry practices to effectively address risks and to reduce their potential impact. The security initiative comprises management as well as technical measures and focuses on the following areas: 1. Security Operations2. Application Security 3. Computing Platform Security 4. Network Security 5. Physical Security 6. Risk Management |
Appendix B to Data Processing Addendum
Switzerland Addendum to the Standard Contractual Clauses
1. To the extent required under Swiss Data Protection Laws in relation to the transfer of Personal Data from Switzerland to any third country and to the extent Swiss Data Protection Laws apply to the transfer of personal data from Client as Controller to Eze as Processor, where such transfer in the receipt and/or provision of services under the Order constitutes an international data transfer for the purposes of Swiss Data Protection Laws; this Appendix B forms part of and is incorporated into the Data Protection Addendum to which it is attached.
2. With respect to the Standard Contractual Clauses incorporated into the Order by reference to provide appropriate safeguards for the transfers to ensure compliance with Swiss Data Protection Laws, and in addition to the necessary adaptations and amendments made under paragraph 3.4.2.(iii) of the Data Protection Addendum:
(a) references to the Regulation (EU) 2016/679 should be understood as references to Swiss Data Protection Laws and the term “Member State” cannot be interpreted to exclude data subjects from exercising their rights under Swiss Data Protection Laws;
(b) the “competent supervisory authority” is the Swiss Federal Data Protection and Information Commissioner insofar the data transfer is governed by Swiss Data Protection Laws;
(c) the Standard Contractual Clauses are governed by the law of Switzerland insofar the data transfer is exclusively subject to the Swiss Data Protection Laws;
(d) clause 13(a) and Part C of Annex I are not used,
(e) the term personal data shall be deemed to include the data of legal entities to such extent such data is protected under Swiss Data Protection Laws; and
(f) any amendments required from time to time by the Swiss Federal Data Protection and Information Commissioner in order to comply with Swiss Data Protection Laws.
Appendix C to Data Protection Addendum
California Privacy Legislation
1. For the purposes of this Appendix C the following terms shall have the following respective meanings:
(a) “CCPA” means the California Consumer Privacy Act of 2018, California Civil Code § 1798.100 to 1798.199, effective 1 January 2020, as amended by the California Privacy Rights Act of 2020, effective 1 January 2023 and their respective implementing regulations.
(b) “Personal Information” means personal information within the meaning of CCPA which is received or collected by Eze from, or on behalf of, Client in connection with performing its obligations pursuant to this Order.
(c) “Business”, “Business Purpose”, “Consumer”, “Sell”, “Service Provider” “Share” and “Verifiable Consumer Request” have the meaning given in Section 1798.140 of CCPA.
2. To the extent CCPA applies to Client as Business and Eze as Service Provider in the receipt and/or provision of Services under the existing agreement(s) Client has with Eze, Eze and Client hereby agree the following:
(a) Eze, as a Service Provider, shall not:
(i) Sell or Share Personal Information;
(ii) retain, use or disclose any Personal Information for any purpose other than:
1. the limited and specified Business Purposes of providing the Services or performing its obligations under Client’s agreement(s) with Eze; or
2. in accordance with Client’s lawful instructions; or
3. outside of the direct business relationship between Eze and Client; or
4. as otherwise permitted pursuant to CCPA, including the purposes described in Section 1798.145, subdivisions (a)(1) to (a)(4) of CCPA
(iii) combine Personal Information with personal information received from or on behalf of another person, or collected from Eze’s own interactions with individuals.
(b) Eze shall comply with its own applicable obligations as Service Provider under CCPA and provide the same level of privacy protection as is required by CCPA.
(c) Eze shall notify Client on a timely basis if at any time Eze makes a determination that it can no longer meet its obligations under CCPA.
(d) The parties agree that Client may take reasonable and appropriate steps to ensure that Eze uses Personal Information in a manner consistent with Client’s obligations under CCPA and, upon written notice to Eze stop and remediate the unauthorized use of Personal Information.
(e) Eze shall provide Client with reasonable assistance in Client’s obligations to respond to Verifiable Consumers Requests in connection with a request for information or deletion by such Consumer pursuant to CCPA, including Section 1798.105(c) of CCPA, and at Client’s written direction, Eze shall delete, or enable Client to delete such Personal Information, in each case taking into account the nature of the processing and the information available to Eze, provided that Eze shall not be required to comply with a Consumer’s request to delete the Consumer’s Personal information if it is reasonably necessary for Business of the Service Provider to maintain the Consumer’s Personal information in accordance with CCPA, including the purposes described in Section 1798.105.
(f) Client agrees that it shall comply at all times with its own applicable obligations as Business under CCPA. Client agrees to ensure that all relevant Consumers for whom Eze will process Personal Information on Client’s behalf as contemplated by the Order Client has with Eze are fully informed concerning such processing, including, where relevant, the processing of such Personal Information outside the State of California and if applicable provide consent for CCPA compliance purposes.
Appendix D to Data Protection Addendum
LGPD
1. For the purposes of this Appendix D:
(a) “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Processing”, have the meanings given by the corresponding terms in Article 5 of LGPD.
(b) “LGPD” means the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados) No. 13, 709/2018 of 14 August 2018, to the extent applicable to Eze in the provision of services under the Order. For the purposes of LGPD, Eze and Client agree that, with regard to Controller Personal Data, Eze is the Processor and Client is the Controller and as such are subject to the relevant applicable provisions of LGPD.
2. Processor will comply with its applicable obligations as a Processor under LGPD, including those requirements set out in Chapter VI of LGPD (Personal Data Processing Agents) and Chapter VII of LGPD (Security and Good Practices).
3. Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach involving Controller Personal Data and provide reasonable assistance to Client in its notification of that personal data breach to the relevant supervisory authority and those data subjects affected as set out in Article 48 of LGPD. Controller is responsible for making notifications related to a Personal Data Breach that are required by applicable law.
4. Processor will not disclose or use Personal Data obtained from or on Controller‘s behalf for any purpose other than (a) the specific purpose of providing the services set out under the Order or performing Processor obligations under the Order, (b) in accordance with Controller lawful instructions or (c) as otherwise permitted pursuant to LGPD.
5. Processor will, at the choice of Controller, delete or return all Controller Personal Data to Controller after the end of the provision of the services relating to the Processing of Controller Personal Data under the Order, and delete existing copies, provided that Processor shall be entitled to retain Controller Personal Data as required by applicable law or Processor relevant policies.
6. Controller agrees that it shall comply at all times with its applicable obligations as a Controller under LGPD, including those set out in this Data Processing Addendum. Controller acknowledges and agrees to be solely responsible for complying with all necessary transparency and lawfulness requirements as needed pursuant to applicable data protection law(s) including LGPD, including obtaining any necessary consents or authorizations in relation to the Processing of Personal Data outside Brazil for LGPD compliance purposes. An up-to-date list of the data importer’s sub-processors and their jurisdictions for Eze Castle Software LLC is available at https://www.ezesoft.com/sub-processors. The point of contact for questions regarding sub-processors for Eze Castle Software LLC is EZE-privacy@sscinc.com.