Data Processing Agreement

INCORTA, INC.

DATA PROCESSING ADDENDUM

This Data Processor Addendum together with all attachments and appendices (“DPA“) is made as of the Effective Date by and between Incorta, Inc., (“We”, “Us”, “Incorta”) and Customer (“You”, “Your”, “Customer”), is pursuant to the Incorta, Master Subscription Services and Cloud and Hosting Software as a Service Agreement or other written or electronic agreement between the parties, as applicable and updated from time to time (“Agreement”).

This DPA forms part of the Agreement and sets out the terms that apply when Personal Data is processed by Incorta as a Processor under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data are processed. Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.  In the event of a conflict between the terms of this DPA and the Agreement, this DPA shall prevail, provided that the limitations of liability provisions of the Agreement shall control.

This DPA will remain in effect for the term of the Agreement, the duration of Incorta Services, or the processing of the Personal Data, whichever is later.

  1. Definitions“California Personal Information” means Personal Data that is subject to the protection of the CCPA.“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).

    “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

    “Customer Data” has the meaning ascribed to it in the Agreement.

    “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and the data protection and privacy laws of Australia and Singapore; in each case as amended, repealed, consolidated, or replaced from time to time.

    “Data Subject” means the individual to whom Personal Data relates.

    “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

    “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

    “European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

    “Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

    “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.

    “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by us and/or our Subprocessors in connection with the provision of the Services. “Personal Data Breach” will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

    “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

    “Processor” means the entity which Processes Personal Data on behalf of the Controller.

    “Services” means the “Hosting Service” and or “Incorta Cloud Subscription Service”  as defined in the Agreement.

    “Standard Contractual Clauses”   means the standard contractual clauses approved by the European Commission Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, in the form set out at Schedule C.

    “Subprocessor” means any Processor engaged by Incorta to assist in fulfilling our obligations with respect to the provision of the Services under the Agreement.

    “Service Provider” and “Business” will have the meanings given to them in the CCPA.

  2. Customer Responsibilities
    2.1. Compliance with Laws. Within the scope of the Agreement and in Your use of the Services, You will be responsible for complying with all requirements that apply to You under applicable Data Protection Laws with respect to Your Processing of Personal Data and the Instructions You issue to us. In particular but without prejudice to the generality of the foregoing, You acknowledge and agree that You will be solely responsible for: (i) the accuracy, quality, and legality of Customer Data and the means by which You acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); (iii) ensuring You have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that Your Instructions to us regarding the processing of Personal Data comply with applicable laws, including Data Protection Laws.2.2. Controller Instructions. The parties agree that the Agreement (including this DPA), together with Your use of the Services in accordance with the Agreement, constitutes Your complete and final instructions to us in relation to the Processing of Personal Data, and additional instructions shall only be made in writing.
  3. Incorta Obligations
    3.1. Compliance with Instructions. We will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of Your lawful Instructions, except where and to the extent otherwise required by applicable law provided we may aggregate and anonymize such data in accordance with Data Protection Laws and use such resulting de-identified data set for our purposes.3.2. Conflict of Laws. If we become aware that we cannot Process Personal Data in accordance with Your Instructions due to a legal requirement under any applicable law, we will (i) promptly notify You of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as You issue new Instructions with which we are able to comply. If this provision is invoked, we will not be liable to You under the Agreement for any failure to perform the applicable Services until such time as You issue new lawful Instructions with regard to the Processing.

    3.3. Security. We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Schedule A      to this DPA (“Security Terms”). Notwithstanding any provision to the contrary, we may modify or update the Security Terms at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Terms.

    3.4. Confidentiality. We will ensure that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.

    3.5. Personal Data Breaches. We will notify You without undue delay after we become aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by You. At Your request, we will promptly provide You with such reasonable assistance as necessary to enable You to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if You are required to do so under Data Protection Laws.

    3.6. Deletion or Return of Personal Data. We will delete or return all Customer Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of the Services in accordance with the Agreement, save that this requirement shall not apply to the extent we are required by applicable law to retain some or all of the Customer Data, or to Customer Data we have archived on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with its deletion practices. You may request the deletion of Your Incorta account after expiration or termination of Your subscription. You may also retrieve Your Customer Data from Your account.

  4. Data Subject Requests. The Incorta application provides You with a number of controls that You can use to retrieve, correct, or delete Personal Data, which You can use to assist it in connection with Your obligations under Data Protection Laws, including Your obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”). To the extent that You are unable to independently address a Data Subject Request through the Incorta application, then upon Your written request we will provide reasonable assistance to You to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to us, we will promptly inform You and will advise the Data Subject to submit their request to You. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
  5. Subprocessors. You agree that we may engage Subprocessors to Process Personal Data on Your behalf. We have currently appointed, as Subprocessors, the third parties listed in Schedule B to this DPA. We will notify You if we add or remove Subprocessors prior to any such changes. Where we engage Subprocessors, we will impose data protection terms on the Subprocessors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Subprocessors. We will remain responsible for each Subprocessors compliance with the obligations of this DPA and for any acts or omissions of such Subprocessor that cause us to breach any of its obligations under this DPA.
  6. Data Transfers. You acknowledge and agree that we may access and Process Personal Data as necessary to provide the Service in accordance with the Agreement, and in particular that Personal Data will be transferred to and Processed by Incorta in the United States and in other jurisdictions where Subprocessors have operations. We will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
  7. Additional Provisions for European Data7.1. Scope of Section 7. This ‘Additional Provisions for European Data’ section shall apply only with respect to European Data.

    7.2. Roles of the Parties. When Processing European Data in accordance with Your Instructions, the parties acknowledge and agree that You are the Controller of European Data, and we are the Processor.

    7.3. Instructions. If we believe that Your Instruction infringes European Data Protection Laws (where applicable), we will inform You without delay.

    7.4. Notification and Objection to New Subprocessors. We will notify You of any changes to Subprocessors listed in Annex 4 to this DPA and will give You the opportunity to object to the engagement of the new Subprocessor on reasonable grounds relating to the protection of Personal Data within thirty (30) days after releasing the notification. If You do notify us of such an objection, the parties will discuss Your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either not appoint the new Subprocessor, or permit You to suspend or terminate the affected Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by You prior to suspension or termination).

    7.5 Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to us, and You do not otherwise have access to the required information, we will provide reasonable assistance to You with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.

    7.6 Transfer Mechanisms for Data Transfers. 

    (a) Incorta shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.

    (b) You acknowledge that in connection with the performance of the Services, Incorta. is a recipient of European Data in the United States and Canada. The parties acknowledge and agree that Incorta agrees to abide by and process European Data in compliance with the Standard Contractual Clauses.

    (c) The parties agree that (i) purely for the purposes of the descriptions in the Standard Contractual Clauses, Incorta will be deemed the “data importer” and Customer will be deemed the “data exporter” (notwithstanding that You may yourself be located outside Europe and/or be acting as a processor on behalf of third party controllers), and (ii) if and to the extent the Standard Contractual Clauses (where applicable) conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.

    7.7. Demonstration of Compliance. At Your written request, we will provide written responses (on a confidential basis) to all reasonable requests for information made by You necessary to confirm our compliance with this DPA.

  8. Additional Provisions for California Personal Information8.1. Scope of Section 8. The ‘Additional Provisions for California Personal Information’ section of the DPA will apply only with respect to California Personal Information.

    8.2. Roles of the Parties. When processing California Personal Information in accordance with Your instructions, the parties acknowledge and agree that You are a Business, and we are a Service Provider for the purposes of the CCPA.

    8.3. Responsibilities. The parties agree that we will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA. Incorta will not (a) sell any personal information; (b) retain, use, or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Service; or (c) retain, use or disclose the personal information outside of the direct business relationship between the parties.

    SCHEDULE A
Security Terms

The terms and conditions in this attachment (the “Security Terms”) shall apply when, during the course of providing Services to Customer, Incorta (a) Processes Personal Data or (b) requires access to Customer’s computer network or telecommunications systems (“Customer Network”).  Nothing in these Security Terms is intended to limit or relieve Incorta of its most basic obligation to implement and maintain an effective information security program.

  1. Definitions
    1.1 Industry Standard Safeguards means those safeguards widely accepted by information security professionals as necessary to reasonably protect data during storage, processing and transmission consistent with the sensitivity of and widely recognized threats to such data.  Examples of Industry Standard Safeguards include those practices described in ISO/IEC 27002:2013, NIST 800-44, Microsoft Security Hardening Guides, OWASP Guide to Building Secure Web Applications, and the various Center for Internet Security Standards.1.2 Other capitalized terms used and not defined in these Security Terms have the respective meanings given in the DPA or elsewhere in the Agreement.
  2. General Information Security Standards
    2.1 Incorta represents and warrants that:

    1. it has in place and will maintain a comprehensive, written information security program pursuant to which it has implemented administrative, technical and physical safeguards designed to:  (1) ensure the confidentiality, integrity, availability and security of Personal Data; (2) protect against any foreseeable threats or hazards thereto; (3) protect against unauthorized, accidental or unlawful access to or use of Personal Data and Incorta systems; (4) protect against unauthorized, accidental or unlawful destruction, loss, alteration, encryption or misuse of Personal Data and (5) ensure that Incorta’s personnel are appropriately trained to maintain the confidentiality, integrity, availability and security of Personal Data, consistent with the terms of the DPA, these Security Terms, other provisions of this Agreement and all applicable laws and regulations;
    2. Such safeguards will include, without limitation, the application of Industry Standard Safeguards to protect Incorta’s systems used to Process Personal Data, and to limit access to Personal Data to only those employees, agents or service providers of Incorta who need the information to carry out the purposes for which Personal Data was disclosed to Incorta;
    3. Such safeguards are no less rigorous than those used by Incorta for its own information of a similar nature;
    4. Incorta is in and will remain in compliance with its information security program in all material respects; and
    5. Without limitation of the foregoing, Incorta has implemented and will maintain the following minimum controls with respect to Personal Data:

Security Control Category
Description
Information Security Program
  • Assign to an individual or a group of individuals the responsibility for developing, implementing, and managing a comprehensive written information security program for the organization
  • The relevant personnel must be sufficiently trained, qualified and experienced to be able to fulfil these functions and any other functions that might reasonably be expected to be carried out by the personnel responsible for safeguarding Personal Data
  • Develop, maintain and document reasonable technological, physical, administrative and procedural safeguards, including without limitation, policies, procedures, guidelines, practices, standards, and controls that: Ensure the privacy, confidentiality, security, integrity and availability of Personal Data; Protect against any anticipated threats or hazards to the security and integrity of Personal Data; Protect against any Security Incident
  • Regularly test, and monitor and evaluate the sufficiency and effectiveness of the information security program, including Security Incident response procedures
Risk Assessment
  • Conduct information security risk assessments at least annually and whenever there is a material change in the organization’s business or technology practices that may impact the privacy, confidentiality, security, integrity or availability of Personal Data
  • The risk assessment should include:
  • Identifying and assessing reasonably foreseeable internal and external threats and risks to the privacy, confidentiality, security, integrity and availability of Personal Data
  • Assessing the likelihood of, and potential damage that can be caused by, identified threats and risks
  • Assessing the adequacy of personnel training concerning, and compliance with, the organization’s information security program
  • Assessing the adequacy of service provider arrangements
  • Adjusting and updating the organization’s information systems and information security program to limit and mitigate identified threats and risks, and to address material changes in relevant technology, business practices, Personal Data practices and sensitivity of Personal Data the organization processes
  • Assessing whether the organization’s information security program is operating in a manner reasonably calculated to prevent and mitigate Security Incidents
  • Documenting the risk assessment
  • Risk assessments should be conducted by independent third parties or internal personnel independent of those who develop or maintain the organization’s information systems or information security program
Data Collection, Retention and Disposal
  • Collect only as much Personal Data as needed to accomplish the purpose for which the information is collected
  • Refrain from storing Personal Data on media connected to external networks unless necessary for business purposes
  • Prohibit actions that can open security vulnerabilities to areas or systems that hold Personal Data
  • Securely dispose of records containing Personal Data so that the information cannot be read or reconstructed after it is no longer needed to comply with business purposes or legal obligations
  • Securely erase media containing Personal Data before reuse
Data Inventory
  • Track and periodically inventory Personal Data the organization collects, uses, maintains, discloses, disposes of or otherwise processes
  • Periodically inventory the organization’s information systems and assets that contain Personal Data
Personnel Background Checks
  • Conduct reasonable background checks (including criminal background checks) of any personnel or third parties who will have access to Personal Data or relevant information systems, and repeat the checks at appropriate and adequate intervals.
  • Maintain policy prohibiting individuals convicted of a crime of dishonesty, breach of trust or money laundering from having access to Personal Data
Personnel Training and EducationRegularly and periodically train personnel, subcontractors and any third parties who have access to Personal Data or relevant information systems concerning:
  • The organization’s information security program
  • The importance of the security, confidentiality and privacy of Personal Data
  • The risks to the organization and its customers associated with Security Incidents
Incorta Management and Oversight
  • Take reasonable steps and conduct due diligence to select and retain subcontractors that are capable of maintaining the privacy, confidentiality, security, integrity or availability of Personal Data consistent with the organization’s contractual and other legal obligations
  • Contractually require subcontractors to maintain adequate safeguards for Personal Data that are at least equivalent to the safeguards that the organization must implement pursuant to contractual or legal requirements
  • Regularly assess and monitor subcontractors to confirm their compliance with the applicable privacy and information security requirements
Segregation of DutiesDuties and areas of responsibility of the organization’s personnel should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of Personal Data or the organization’s information systems
Access Controls
  • Identify personnel, classes of personnel and third parties whose documented business functions and responsibilities require access to Personal Data, relevant information systems and the organization’s premises
  • Permit access to Personal Data, relevant information systems and the organization’s premises only to such authorized personnel and third parties
  • Maintain a current record of personnel and third parties who are authorized to access Personal Data, relevant information systems and the organization’s premises, and the purposes of such access
  • Maintain logical and physical access controls, secure user authentication protocols, secure access control methods, and firewall protection
  • Prevent terminated personnel, subcontractors or other third parties from accessing Personal Data and information systems by immediately terminating their physical and electronic access to Personal Data and relevant information systems
Secure User AuthenticationTo manage access to Personal Data and relevant information systems:
  • Maintain secure control over user IDs, passwords and other authentication identifiers
  • Require passwords controlling access to Personal Data to have minimum complexity requirements and be at least 8 characters in length
  • Maintain a secure method for selecting and assigning passwords and use multi-factor authentication and other reasonable authentication technologies when possible.
  • Assign unique user identifications and passwords that are not Incorta supplied default passwords
  • Require  personnel, subcontractors and other third parties to change passwords at regular intervals or based on the number of access attempts, and whenever there is any indication of possible system or password compromise
  • Frequently (and at least every 90 days) change passwords for accounts that have access to Personal Data
  • Avoid reusing or recycling old passwords
  • Restrict access to Personal Data and relevant information systems to only active users and accounts
  • Block user access after multiple unsuccessful attempts to login or otherwise gain access to Personal Data or relevant information systems
  • Terminate user access after a predetermined period of inactivity
  • Promptly revoke or change access in response to personnel termination or changes in job functions
Incident Detection and ResponseMaintain policies and procedures to detect, monitor, document and respond to actual or reasonably suspected Security Incidents, and encourage the reporting of such incidents, including through:
  • Training personnel with access to Personal Data to recognize actual or potential Security Incidents and to escalate and notify senior management of such incidents
  • Mandatory post-Security Incident review of events and actions taken concerning the security of Personal Data
  • Policies governing the reporting of Security Incidents to regulators and law enforcement agencies
EncryptionApply encryption with industry-standard algorithms and key lengths to Personal Data:
  • Stored on laptops, mobile devices, portable storage devices or removable archival media
  • Stored on file servers or in application databases
  • Stored outside of the organization’s physical controls
  • Transmitted across any public network (such as the Internet) or wirelessly
  • Transmitted in email attachments
  • In transit outside of the organization’s information systems
Maintain policies prohibiting such storage or transmission unless required encryption has been applied
Network SecurityImplement network security controls such as up-to-date firewalls, layered DMZs and updated intrusion detection/prevention systems, including firewalls between the organization’s information systems, the Internet (including internal networks connected to the Internet) and other public networks, and internal networks that are not necessary for processing Personal Data; the firewalls must be reasonably designed to maintain the security of Personal Data and relevant information systems
Data SegregationPhysical or logical segregation of Personal Data to ensure it is not comingled with another party’s information except as approved by Customer
Malicious Code Detection
  • Implement and maintain software that detects, prevents, removes and remedies malicious code designed to perform an unauthorized function on, or permit unauthorized access to, any information system, including without limitation, computer viruses, Trojan horses, worms, and time or logic bombs
  • Run malicious code detection software at least daily
  • Update malicious code detection software at least daily, including by obtaining and implementing the most current available virus signatures
Vulnerability and Patch ManagementMaintain vulnerability management and regular application, operating system and other infrastructure patching procedures and technologies to identify, assess, mitigate and protect against new and existing security vulnerabilities and threats, including viruses, bots, and other malicious code
Application SecurityMaintain application security and software development controls designed to prevent the introduction of security vulnerabilities in software developed by Incorta that Processes Personal Data
Change Controls
  • Prior to implementing changes to the organization’s information systems, follow a documented change management process to assess the potential impact of such changes on privacy, confidentiality, security, integrity and availability of Personal Data, and determine whether such changes are consistent with the organization’s information security program
  • No changes should be made to the organization’s information systems or information security program that increase the risk of a Security Incident or fail to comply with the organization’s contractual or other legal obligations
Off-Premise Information Security
  • Maintain policies governing the security of the storage, access, transportation and destruction of records or media containing Personal Data outside of the organization’s business premises
  • Monitor and document movement of records or media containing Personal Data
  • Create copies of Personal Data before movement of records or media containing the information
Physical Security
  • Maintain reasonable restrictions on physical access to Personal Data and relevant information systems (e.g., clean desk policy)
  • Maintain physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster
  • Lock workstations with access to Personal Data when unattended
  • Document repairs and modifications to information security-related physical components of the organization’s information systems
Secure DestructionSecure destruction procedures to sanitize any unencrypted hard disk, portable storage device or backup media containing Personal Data prior to sending it offsite for maintenance or disposal purposes
Contingency Planning1. Maintain policies and procedures for responding to an emergency or other occurrence that can compromise the privacy, confidentiality, integrity or availability of Personal Data or damage the organization’s information systems; such policies and procedures should provide for:
  • Creating and maintaining retrievable copies of  Personal Data
  • Restoring any loss of Personal Data
  • Enabling continuation of critical business processes involving Personal Data in emergency mode
  • Assessing relative criticality of specific applications and Personal Data in support of other contingency plan components
  • Periodic testing and updates of contingency plans

  • 2.1 Incorta represents and warrants that prior to permitting any Subcontractor to access Personal Data, Incorta shall conduct a reasonable, documented investigation of such Subcontractor to verify that it is capable of maintaining the privacy, confidentiality and security of Personal Data in compliance with this Agreement.
  • 2.2 Incorta will designate an individual who will serve as Customer’s ongoing point of contact for purposes of addressing issues with respect to the use and security of Personal Data during the term and following the termination or expiration of this Agreement.  Such individual will be accessible to Customer and will cooperate with Customer to address such issues.
  • 2.3 Incorta shall promptly notify Customer of any material change in the controls or other safeguards that affect Incorta’s ability to fulfill Security Terms.
  • 2.4 On termination of this Agreement for any reason or upon request, Incorta will cease Processing Personal Data, return a copy of the Personal Data to Customer and then  securely delete or destroy, as applicable, all Personal Data in Incorta’s possession (except as prohibited by law or other explicit data retention and/or return provisions in this Agreement).

3. Risk Assessments and Security Audits

  • 3.1 Incorta will perform regular (i.e. at least quarterly) vulnerability tests and assessments against all systems Processing Personal Data, and shall perform regular (i.e. at least annually) penetration tests against any Internet-facing systems used in connection with the Services. Incorta further agrees to perform regular (i.e. at least annually) risk assessments of the physical and logical security measures and safeguards it maintains applicable to its protection of Personal Data.  With respect to systems Processing Personal Data, Incorta will provide Customer, upon request, a summary report of such tests and assessments, including a description of any significant (i.e. moderate or greater) risks identified and an overview of the remediation effort(s) undertaken to address such risks.
  • 3.2 In addition to any other audit obligations that may be contained in this Agreement, Customer or its designated third party, at its sole expense, may inspect (i) Incorta’s information security and privacy policies, practices and procedures applicable to the systems, applications, and facilities Processing Personal Data, including data centers or premises where the Personal Data is stored at or accessed from, and (ii) Incorta’s Processing practices, (“Inspection”).  Incorta shall make relevant personnel available for interviews and provide all information and assistance reasonably requested by Customer in connection with any such Inspections, including, without limitation, such information as Customer requires to verify compliance with this Agreement and Data Protection Laws, provided, however that such audit activities may not unreasonably interfere with Incorta business activities. Incorta shall take such remedial actions as are reasonably required by Customer following the Inspection.
  • 3.3 Without prejudice to the rights granted in Section 3.2 above, if the requested audit scope is addressed in a SOC, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third party auditor within the prior twelve months and Incorta provides such report to Customer confirming there are no known material changes in the controls audited, You agree to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.

4. Security Breaches and Incident Response

  • 4.1 Incorta agrees to notify Customer immediately (but in no case later than 24 hours) after learning of a Security Incident.  Notification must include a phone call to Incorta’s primary account contact.
  • 4.2  Notification shall include at a minimum (a) a description of the Incident including impact and likely consequences thereof, (b) the expected resolution time (if it has not already been resolved), (c) corrective measures to be taken, evaluation of alternatives, and next steps, and (d) the name and phone number of the Incorta representative that Customer may contact to obtain further information and updates.  Without limitation of the foregoing, Incorta shall promptly provide Customer with the following information as it becomes available:
    1. a detailed description of the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
    2. a description of the measures taken or proposed to be taken to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects; and
    3. whether any regulatory authority, the Data Subjects or the media have been informed or are otherwise already aware of the Security Incident, and their response.
  • 4.3 Customer may require that Incorta’s access to, or processing or storing of Personal Data be suspended, connectivity with Customer be terminated, or other appropriate action be taken pending such resolution.
  • 4.4 Incorta agrees to keep Customer informed of progress and actions taken to address the Security Incident and prevention of future such Security Incidents, and to provide Customer with all facts about the Security Incident as appropriate for Customer to conduct its own assessment of the risk to Personal Data and of Customer’s overall exposure to such Security Incident.
  • 4.5 Unless such disclosure is mandated by law, Customer in its sole discretion will determine whether to provide notification to Customer’s customers or employees concerning incidents involving Personal Data.  Customer agrees to coordinate with Incorta on the content of any intended public statements or required notices for affected individuals and/or notices to the relevant Regulators regarding incidents involving Personal Data.
  • 4.6 Without limitation of any other provisions of this Agreement, in the event of a Security Incident involving unencrypted Personal Data, Incorta agrees to provide the following at Incorta’s expense upon Customer’s request:  (a) notice to individuals whose Personal Data was affected by the Security Incident in a manner and format determined by Customer, in its sole discretion, as well as to any other third parties, such as Regulators, law enforcement agencies and consumer reporting agencies, that Customer determines should be notified of the Security Incident, in its sole discretion, (b) one year of credit monitoring,  (c) any other relief service(s) as required by applicable law to affected individuals; and (d) reasonable co-operation with Customer to offer any other remediation services deemed necessary by Customer or which are customarily provided to individuals impacted by a breach in confidentiality of their Personal Data in the relevant jurisdictions.
  • Schedule B
    List of Subprocessors

Subprocessor
PurposeLocation
GCPHosting & InfrastructureUSA

Schedule C
Standard Contractual Clauses

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection. Subject to the terms of the DPA, these Standard Contractual Clauses shall be deemed executed when the Agreement is executed including via clickthrough or a signed Order Form referencing the Agreement with this DPA incorporated.

NOW THEREFOR, each a “party”; together “the parties,”

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1

Clause 1
Definitions

For the purposes of the Clauses:

  1. ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  2. the data exporter’ means the controller who transfers the personal data;
  3. ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  4. ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  5. the applicable data protection law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  6. ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

 

Clause 3
Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:

  1. that the processing, including the transfer itself, of the personal data, has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  2. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  3. that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
  4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  5. that it will ensure compliance with the security measures;
  6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  7. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  8. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  9. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  10. that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:

  1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  3. that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
  4. that it will promptly notify the data exporter about:
    1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
    2. any accidental or unauthorized access, and
    3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
  5. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  6. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  7. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  8. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
  9. that the processing services by the subprocessor will be carried out in accordance with Clause 11;
  10. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
    1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
    2. to refer the dispute to the courts in the Member State in which the data exporter is established.
  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9
Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business-related issues were required as long as they do not contradict the Clause.

Clause 11
Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer, and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and may be amended by the parties in writing.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data Exporter

The Data Exporter is (please specify briefly your activities relevant to the transfer):

Data Exporter is (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and, (ii) all Affiliates (as defined in the Agreement) of Customer established within the EEA and Switzerland that have purchased the Incorta services on  the basis of one or more Order Form(s).

Data importer

The Data Importer is (please specify briefly activities relevant to the transfer):

Incorta, Inc., is a provider of enterprise cloud and hosting services which Processes Personal Data upon the     instruction of the Data Exporter in accordance with the terms of the Agreement.

Data subjects

The Personal Data transferred concern the following categories of data subjects (please specify):

Data Exporter may submit Personal Data to the Service, the extent of which is determined and controlled solely by the Data Exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

  • Prospects, customers, business partners and vendors of data exporter (who are natural persons)
  • Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of data exporter (who are natural persons)
  • Data exporter’s Users authorized by data exporter to use the Service
Categories of data

The Personal Data transferred concern the following categories of data (please specify):

Data Exporter may submit Personal Data to the Service, the extent of which is determined and controlled solely by the Data Exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • ID data
  • Professional life data
  • Personal life data
  • Connection data
  • Localization data
  • Business requirements
Special categories of data (if appropriate)

The Personal Data transferred concern the following special categories of data (please specify):

Data Exporter may submit special categories of data to the Service, the extent of which is solely determined and controlled by the Data Exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic

origin, political opinions, religious or philosophical beliefs, trade-union membership, and the Processing of data concerning health or sex life.

Processing operations

The Personal Data transferred will be subject to the following basic processing activities (please specify):

The objective of Processing of Personal Data by Data Importer is the performance of the Service and support services pursuant to the Agreement.

 

APPENDIX 2 TO THE DPA AND THE STANDARD CONTRACTUAL CLAUSES

This Appendix 2 forms part of the Standard Contractual Clauses and/or the DPA.

Description of the technical and organizational security measures implemented by Incorta:

Incorta will maintain administrative, physical, and technical safeguards for the protection, security, confidentiality and integrity of Personal Data Processed by the Services, as described in the security documentation applicable to the specific Services licensed by  Customer, or otherwise made reasonably available by Incorta. Incorta will   not materially decrease the overall security of the Services but may update technical and security measures from time to time.