Company
Data Processing Addendum
With Standard Contractual Clauses attached.
(AutoRABIT Processor)
Last Updated: October 24, 2021
This Data Processing Addendum (the “Addendum” or “DPA”) forms part of the Agreement between the party identified in the Agreement (“Customer”) and AutoRABIT Holding, Inc. (“Service Provider” or “AutoRABIT”) and applies to the extent that (i) AutoRABIT processes Personal Data on behalf of Customer in the course of providing Services and (ii) the Agreement expressly incorporates this DPA by reference. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
The Addendum is intended to satisfy the requirements of Article 28(3) of the GDPR and Section 1798.140(w)(2) of the California Consumer Privacy Act. This Addendum is effective for the term of the Agreement. There are four attachments to this Addendum; each is incorporated by reference:
- Schedule 1: List of Service Provider’s Subcontractors
- Schedule 2: Standard Contractual Clauses
- Schedule 3: Data Security Addendum
1. DEFINITIONS:
1.1.For the purpose of this Addendum:
1.1.1.“Agreement” means the AutoRABIT Software License and Services Agreement or other written or electronic agreement between Customer and AutoRABIT for the provision of the Services to Customer.
1.1.2.”Controller” has the meaning given in the GDPR;
1.1.3.”Customer Personal Data” means the Personal Data described under Section 2 of this Addendum, where the Customer is the Controller;
1.1.4.”Data Protection Laws” means the European Union General Data Protection Regulation 2016/679 (as amended and replaced from time to time) (“GDPR”) and national implementing legislation; the Swiss Federal Data Protection Act (as amended and replaced from time to time); the Monaco Data Protection Act (as amended and replaced from time to time); the U.K. Data Protection Act (as amended and replaced from time to time); and the Data Protection Acts of the European Economic Area (“EEA”) countries (as amended and replaced from time to time) and” California Consumer Privacy Act of 2018 [1798.100-.1798199] (“CCPA”).
1.1.5. “Data Subject” has the meaning given in the GDPR;
1.1.6. “Personal Data,” “Personal Data Breach,” and “Processor” will each have the meaning given to them in the GDPR; and
1.1.7.“Process” or “Processing” will have the meaning given to them in the GDPR.
1.1.8.“Processing Sites” are those facilities where the Service Provider processes Personal Data.
1.1.9.”Services” means any cloud service offering or customer support services provided by AutoRABIT to Customer pursuant to the Agreement.
1.1.10.“Standard Contractual Clauses” or “SCC” means either (i) UK Standard Contractual Clauses, and/or (ii) 2021 Standard Contractual Clauses, as the context and circumstances require. (b) “UK Standard Contractual Clauses” means the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU. (b) “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914. The SCC is incorporated into this Addendum as Schedule 2. In the event that an updated version of the SCC is approved by the European Commission, the parties will agree to the updated version.
2.DETAILS OF THE PROCESSING
2.1Controller and Processor. For purposes of this Addendum, the Customer is the Controller and Service Provider is the Processor in relation to the Personal Data.
2.2Consent. It is the Controller’s obligation to determine the legal basis for processing the Personal Data, to notify and obtain an individual’s consent, consistent with applicable laws, for Service Provider to process the Personal Data.
2.3Categories of Data Subjects. This Addendum applies to the processing of Customer Personal Data generally relating to Service Provider’s backups of all available data and metadata in Customer’s Salesforce.com account. Customer may submit Customer Personal Data to its Salesforce.com account, the extent of which is determined and controlled by the Customer in its sole discretion. Schedule 2 lists the specific categories of data subjects.
2.4Types of Personal Data. Customer Personal Data includes at least these types of information: name, address, phone number, email address, title, and employer name. Schedule 2 lists the specific categories of data types.
2.5Duration of the Processing. Customer Personal Data will be processed for the term of the Agreement unless instructed by the Customer to be terminated earlier under this Addendum, and for only so long as may be necessary for Service Provider to fulfil any legal obligations.
2.6Processing Records. The Controller and Service Provider will keep separate records of the processing sufficient to demonstrate compliance with the relevant Data Protection Laws.
2.7Compliance with the CCPA. Service Provider will process, retain, use, and disclose Personal Data only as necessary to provide the Services, which constitutes a business purpose as defined in the CCPA. Service Provider agrees not to (a) sell (as defined by the CCPA) Customer’s personal data or Customer end users’ personal data; (b) retain, use, or disclose Customer’s personal data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose Customer’s personal data outside of the scope of the Agreement. Service Provider understands its obligations under the CCPA and will comply with them. Service Provider certifies that its sub-processors are Service Providers (as defined in the CCPA), with whom Service Provider has entered into a written contract that protects Participants’ Data.
3.PROCESSING OF CUSTOMER PERSONAL DATA
3.1.Service Provider shall only Process Customer Personal Data on behalf of and per the Customer’s prior written instructions (including as set out in an attachment to this Addendum and the Agreement). The Service Provider is instructed to Process Customer Personal Data to the extent necessary to enable the Service Provider to provide the Services. If different or additional Processing is required to comply with the Data Protection Laws to which the Service Provider is subject, the Service Provider shall promptly (i) notify the Customer of that legal requirement and/or of the inability to comply with any instructions before the relevant Processing, to the extent permitted by the Data Protection Laws; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Customer Personal Data) until the Customer issues new instructions.
4.DATA TRANSFERS
4.1.Controller is responsible for determining if a data transfer is legal and the appropriate transfer mechanism. The Controller is responsible for providing notice to the Data Subjects, and obtaining the appropriate consents necessary for Personal Data to be transferred from a Data Subject’s governing jurisdiction to the Processing Sites. Service Provider processes Personal Data in the United States and elsewhere. Service Provider will produce a list of the processing sites upon the Controller’s request.
4.2.The parties rely on the Standard Contractual Clauses to govern the cross-border transfer of EU Personal Data. It is agreed that the Standard Contractual Clauses will apply to personal data that is transferred via the Services from the European Economic Area, the United Kingdom, or Switzerland to outside the European Economic Area, the United Kingdom, and Switzerland, either directly or via onward transfer, to any country or recipient not recognized by the European Commission as providing an adequate level of protection for personal data.
5.CONFIDENTIALITY
5.1.Service Provider shall ensure that Customer Personal Data is not made accessible to its personnel who do not need to have access to the data in order to carry out their roles in the performance of the Service Provider’s obligations under this Addendum. Service Provider shall ensure that persons authorized to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.SECURITY MEASURES
6.1.Service Provider shall implement, and maintain throughout the term of the Addendum at all times in accordance with then current good industry practice, technical and organizational measures to protect against unauthorized or unlawful Processing of, or accidental loss, destruction, or damage to, Customer Personal Data.
6.2.On request, Service Provider shall provide the Customer with a written description of the security measures.
6.3.Customer shall be responsible for the security of its administrative users’ accounts and passwords and shall notify AutoRABIT immediately of any unauthorized use of any password or account or any other known or suspected breach of security. Customer shall be responsible for the acts or omissions of its administrative users in connection with the use of, and access to, the Service.
7.SUB-PROCESSING
7.1.Customer grants Service Provider a general authorization to engage sub-Processors to process Customer Personal Data provided that: (i) Service Provider provides to Customer an up-to-date list of its then-current sub-Processors upon request; (ii) Service Provider provides at least 30 days’ prior notice of the addition or removal of any sub-Processor (including the categories of personal data processed, details of the processing it performs or will perform, and the location of such processing); (iii) Service Provider shall enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor obligations that are consistent with the Data Protection Laws; and (iv) Service Provider remains fully liable for any breach of this Addendum that is caused by a negligent act, or omission of its sub-Processor.
7.2.A current list of Service Provider’s authorized sub-Processors is attached to this Addendum as Schedule 1. Service Provider shall not engage a sub-Processor without the prior written authorization of the Customer. If Customer refuses to consent to Service Provider’s appointment of a sub-Processor, then either Service Provider will not appoint the sub-Processor or either Party may terminate this Addendum and the Agreement without penalty.
8.RIGHTS OF AUDIT
8.1.Subject to: (i) Customer providing Service Provider with not less than twenty (20) business days’ prior written notice; (ii) not more than once annually and only during the term of the Agreement; and (iii) subject to Customer and any of its representatives, designees and auditors entering into adequate confidentiality agreements (as required by Service Provider), Service Provider shall make available such information as may reasonably be necessary to demonstrate compliance with its obligations under this Addendum and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Service Provider shall immediately inform the Customer if, in its opinion, an instruction infringes the Data Protection Laws.
8.2.Customer shall:
8.2.1. promptly provide Service Provider with information regarding any non-compliance discovered during the course of an audit;
8.2.2. conduct such audits during Service Provider’s normal business hours and for a reasonable duration, which shall not unreasonably interfere with its day-to-day operations.
9.COOPERATION
9.1.During the term of the Agreement, Service Provider shall:
9.1.1. provide reasonable assistance to enable Customer to address any request or complaint received from Data Subjects or any applicable data protection or similar authority. Service Provider shall notify Customer without undue delay and in any event no less than five (5) business days’ notice of any request or complaint Service Provider receives from Data Subjects regarding Customer Personal Data. Service Provider shall notify Customer of requests received from applicable data protection or similar authorities regarding Customer Personal Data without undue delay and in any event no later than forty-eight (48) hours of receiving such requests. Service Provider shall not respond to any such requests except on the documented instructions of the Customer;
9.1.2. provide assistance as reasonably required to demonstrate compliance with Customer’s obligations under the Data Protection Laws, including to:
9.1.2.1.give effect to the rights of Data Subjects under the Data Protection Laws,
9.1.2.2.facilitate the Customer in its conduct of a data protection impact assessment (“DPIA”), if the Data Protection Laws requires the performance of a DPIA.
9.2.Customer acknowledges and agrees that some instructions from the Customer, including assisting with audits, inspections or DPIAs by Service Provider, may result in additional fees. Service Provider will notify the Customer in advance of its fees for providing such assistance in advance.
10.PERSONAL DATA BREACHES
10.1.Service Provider shall notify the Customer without undue delay and in any event no later than forty-eight (48) hours after it becomes aware of any Personal Data Breach affecting any Customer Personal Data. Service Provider shall (i) provide Customer with a description of the Personal Data Breach, including the type of Customer Personal Data, approximate number of Data Subjects and records potentially impacted (if known), (ii) take such actions as may be reasonably necessary to minimize the effects of the Personal Data Breach, (iii) provide timely information and reasonable cooperation for Customer to meet any obligations to report or inform Data Subjects or the relevant data protection authorities of the Personal Data Breach. Notifying Data Subjects and/or reporting to regulatory authorities is the responsibility of the Controller.
10.2.Customer shall treat all information regarding the Personal Data Breach as Confidential Information under the Agreement except to the extent it is necessary to disclose to a regulatory authority, notify a data subject, or seek legal or forensic professional services.
11.DELETION OR RETURN OF CUSTOMER PERSONAL DATA
11.1.Service Provider shall, at the Customer’s choice, delete or return Customer Personal Data to the Customer after the end of the term of the Agreement, and delete all existing copies unless relevant laws or regulations requires retention of the Personal Data, or for audit or discovery purposes.
12.GENERAL PROVISIONS
12.1.GDPR Penalties. Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
12.2.With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the Parties, including the Agreement, the provisions of this Addendum shall prevail, except with respect to data subject rights and the transfer of Personal Data and, then, the SCC shall prevail.
Schedule 1
AutoRABIT Subcontractors
AutoRABIT may use the following subcontractors in the performance of the Services:
Subcontractor | Services |
---|---|
Amazon (AWS) / Microsoft (Azure) | Cloud hosting |
Zoho | Support ticketing |
Schedule 2
Standard Contractual Clauses
1. UK Standard Contractual Clauses. For transfers of Personal Data out of the United Kingdom that are subject to this DPA, the UK Standard Contractual Clauses will apply and are incorporated into the DPA by reference, provided that the illustrative indemnification clause within Appendix 2 of the UK Standard Contractual Clauses will not apply. Annex 1 to this Schedule 2 will serve as Appendix 1 of the UK Standard Contractual Clauses. Annex II to this Schedule 2 will serve as Appendix 2 of the UK Standard Contractual Clauses.
2. The 2021 Standard Contractual Clauses. For transfers of Personal Data out of the EEA or Switzerland that are subject to this DPA, the 2021 Standard Contractual Clauses are incorporated into the DPA by reference, and will apply in the following manner:
a. Module Two (Controller to Processor) will apply where Customer is a controller of Personal Data and AutoRABIT is a processor of Personal Data.
b. Module Three (Processor to Processor) will apply where Customer is a processor of Personal Data and
AutoRABIT is a sub-processor of Personal Data.
c. For each Module:
(i) Clause 7 will not apply;
(ii) in Clause 9(a), Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set forth in Section 7 of the DPA;
(iii) in Clause 11(a), the optional language will not apply;
(iv) in Clause 17, Option 2 will apply, and the Standard Contractual Clauses will be governed by the law of the Republic of Ireland;
(v) in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland:
(vi) In Annex I, Part A:
Data exporter: Customer
Contact details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive legal communications
Data exporter role: Data exporter’s role is outlined in Section 2 of the DPA
Signature and date: The parties agree that execution of the Agreement shall constitute execution of these Standard Contractual Clauses by both parties
Data importer: AutoRABIT Holding, Inc.
Contact details: 548 Market Street, PMB 98272, San Francisco, CA 94104; e-mail: [email protected]
Data exporter role: Data importer’s role is outlined in Section 2 of the DPA
Signature and date: The parties agree that execution of the Agreement shall constitute execution of these Standard Contractual Clauses by both parties
(vii) In Annex I, Part B:
(a)The categories of data subjects whose personal data is transferred are:
Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Prospects, customers, business partners and vendors of data exporter (who are natural persons)
- Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
- Employees, agents, advisors, freelancers of data exporter (who are natural persons)
- Data exporter’s Users authorized by data exporter to use the Services
(b)The categories of Personal Data transferred are.
Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Title
- Position
- Employer
- Contact information (company, email, phone, physical business address)
- ID data
- Professional life data
- Personal life data
- Localisation data
(c)Sensitive data transferred (if applicable):
Data exporter may submit sensitive categories of personal data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
(d)The frequency of the transfer is on a continuous basis for the duration of the Agreement.
(e)The nature of the processing is described in Section 2 of the DPA.
(f)The purpose of the processing is described in Section 2 of the DPA.
(g)The period of retention of Personal Data in relation to the processing will end upon termination of the Agreement.
(h)For transfers to sub-Processors, the subject matter and nature of the processing is described in Section 7 of the DPA. The duration of processing by sub-Processors is the same as by data Importer;
(viii) In Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority; and
(ix) Annex II: Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Security, Privacy and Architecture Documentation applicable to the specific Services purchased by data exporter, and made reasonably available by data importer. Data Importer will not materially decrease the overall security of the Services during a subscription term.
3. Additional Clauses. Each of the following forms part of the Standard Contractual Clauses and sets out the parties’ understanding of their respective obligations under the Standard Contractual Clauses:
Clause 8.9 of the 2021 Standard Contractual Clauses and Clause 5(f) of the UK Standard Contractual Clauses: Audit. Data exporter acknowledges and agrees that it exercises its audit right(s) under Clause 8.9 or Clause 5(f), as applicable, by instructing data importer to comply with the audit measures described in Section 8 (Rights of Audit) of the DPA.
Clause 12 of the 2021 Standard Contractual Clauses and Clause 6 of the UK Standard Contractual Clauses: Liability. To the greatest extent permitted under Data Protection Law, any claims brought under the Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Agreement.
Clause 11 of the UK Standard Contractual Clauses: Onward sub-processing. The parties acknowledge that Article 28 of the United Kingdom GDPR allows for the general written authorization of a sub-processor subject to notice of and the opportunity to object to the sub-processor. Accordingly, data exporter provides a general consent to AutoRABIT, pursuant to Clause 11 of the UK Standard Contractual Clauses, to engage onward sub-processors. That consent is conditional on AutoRABIT’s compliance with the requirements set out in Section 7 (Sub-Processing) of the DPA.
Schedule 3
Data Security Addendum
AutoRABIT shall have in place security safeguards that are designed to conform to or exceed industry standards regarding the protection of the confidentiality, integrity and availability of Customer Data. AutoRABIT uses a defense-in-depth strategy to ensure the security of Customer Data, achieved by utilizing the National Institute of Standards and Technology (NIST) Risk Management Framework 800-37 as the foundation of AutoRABIT’s information security program.
AutoRABIT employs role-based access controls to servers containing Customer Data which are consistent with job duties and contractual requirements. Access to Customer Data is limited to authorized company employees on a “need to know” basis. Authorized employees must use an individual account and multi-factor authentication to gain access to Customer Data. Authorization is done on a “least privilege” model.
AutoRABIT stores Customer Data on AutoRABIT servers housed within independently verified SSAE-16/SOC 1 Type II, ISO 27001, PCI certified authorized data centers (including Amazon Web Services (AWS) and Microsoft Azure facilities). The data centers’ physical and environmental security includes industry-leading network hardening and active monitoring, digital security video surveillance and 24/365 on-site security staff. AutoRABIT encrypts Customer Data at rest with FIPS 140-2 approved algorithms (AES-256).
AutoRABIT utilizes HTTPS for securing Customer Data in transit and web server to web browser communications. When a user accesses the web interface via an internet browser, the HTTP session is redirected to HTTPS protocol using a Transport Layer Security (TLS 1.1 and 1.2) or higher connection.
AutoRABIT’s systems and networks are constantly monitored for security incidents, system health, network and traffic anomalies, and availability. AutoRABIT performs periodic internal web application vulnerability assessments to ensure application security controls are properly applied and operating effectively as designed. On at least an annual basis, AutoRABIT performs external vulnerability assessments using third-party web application and penetration testing assessors. The scope of these external audits assesses compliance with the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities. Vulnerability assessment results are incorporated into the AutoRABIT Software Development Lifecycle (SDLC) to remediate vulnerabilities and internally tracked through resolution.