1. DEFINITIONS AND INTERPRETATIONS
1.1 This Data Processing Addendum (the “Addendum”) is incorporated into and forms part of the services agreement or other agreement (the “Agreement”) between you (“Customer”) and SafeBase, Inc. (“Supplier”).
1.2 The following definitions shall apply in this Addendum unless the context requires otherwise. Capitalized terms that appear in this Addendum but are not defined here shall have the meaning given in the Agreement:
“Customer Personal Data” means Personal Data Processed by Supplier as Processor on behalf of Customer under the Agreement for the purposes of providing the Services.
“Controller”, “Processor”, “Processing” (and related terms such as “Process” and “Processed), and “Data Subject” have the meanings given to these terms in the Data Protection Laws.
“Data Protection Laws” means all laws and regulations relating to the Processing, privacy, and use of Personal Data, as applicable to the parties, and/or to the Processing of Personal Data under the Agreement, including the California Consumer Privacy Act and the California Privacy Rights Act (collectively the “CCPA”) and European Data Protection Laws.
“European Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”) and/or any corresponding or equivalent national data protection laws or regulations of the European Economic Area member states and the United Kingdom (including any judicial or administrative interpretation of any of the above) applicable to the Processing of Personal Data under the Agreement, including the GDPR as it forms part of the laws of the United Kingdom, and the Data Protection Act 2018 (collectively “UK GDPR”).
“Permitted Territories” means a country deemed adequate for the transfer and Processing of Customer Personal Data pursuant to Data Protection Laws.
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person.
1.3 “Security Incident” means any actual or reasonably suspected (a) accidental, unauthorized or unlawful loss, destruction or theft of Customer Personal Data; (b) unauthorized or unlawful use, disclosure, alteration, encryption, acquisition of or access to, or other unauthorized Processing of Customer Personal Data; or (c) unauthorized access to, use of, inability to access, or malicious infection of, Customer or Supplier information systems that reasonably may be expected to compromise the privacy, confidentiality or security of Customer Personal Data.
1.4 “Sub-Processor” means another Processor engaged by Supplier for carrying out Processing activities in respect of Customer Personal Data.
“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
2. DATA PROCESSING DETAILS AND COMPLIANCE
2.1 The parties acknowledge that Supplier is a Processor of Customer Personal Data and Customer is also a Processor on behalf of its customers (the Controllers). Each party shall comply with its obligations under Data Protection Laws as relates to Customer Personal Data.
2.2 Details of Customer Personal Data Processed under the Agreement are set out in Annex 1 of this Addendum (Data Processing Details).
3. DATA PROCESSING INSTRUCTIONS
3.1 Supplier shall Process Customer Personal Data only on the written instructions of Customer (including as set out in this Addendum and the Agreement) and for no other purpose unless Supplier is required to Process Customer Personal Data by applicable laws. Supplier is hereby instructed to Process Customer Personal Data only to the extent necessary to provide the Services in accordance with the Agreement. In the event Supplier is required by applicable laws to Process Customer Personal Data other than in accordance with Customer’s instructions, prior to any such Processing and to the extent permitted by applicable laws, Supplier shall promptly notify Customer in writing of that legal requirement and cease all Processing (other than merely storing and maintaining the security of the affected Customer Personal Data) until Customer issues new instructions.
3.2 Supplier shall promptly inform Customer if Supplier becomes aware of a written instruction given by customer under this Clause 3 that, in Supplier's reasonable opinion, infringes Data Protection Laws.
3.3 Supplier shall not: (1) “sell” (as defined by the CCPA) Customer Personal Data; (2) retain, use, or disclose Customer Personal Data (a) for any purpose other than for the specific purpose of providing the Services under this Addendum or (b) outside its direct business relationship with Customer; or (3) combine Customer Personal Data with Personal Data Supplier receives from other sources except as permitted by the CCPA.
3.4 Supplier shall regularly (and not less than quarterly) assess its compliance with its obligations under Data Protection Laws and this Addendum and promptly notify Customer if such assessments indicate Supplier has failed or will fail to comply with its obligations under Data Protection Laws and this Addendum.
4. SUPPLIER PERSONNEL AND SUB-PROCESSORS
4.1 Customer authorizes Supplier to engage the Sub-Processors included in the Sub-Processor list in Annex 2 of this Addendum (“Sub-Processor List”) and other Sub-Processors that Supplier may add from time to time including but not limited those listed at trust.safebase.io.
4.2 Supplier shall ensure that prior to permitting any Sub-Processor to Process Customer Personal Data:
4.2.1 Supplier has, within a reasonable timeframe from permitting such access, conducted a reasonable, documented investigation on the Sub-Processor to verify that the Sub-Processor is capable of maintaining the privacy, confidentiality and security of Customer Personal Data, and can comply with its obligations under Data Protection Laws.
5. DATA TRANSFERS
5.1 The Parties acknowledge that Customer Personal Data Processed by Supplier under the Agreement may be subject to the European Data Protection Laws and that Supplier will be Processing this Customer Personal Data in a country outside the Permitted Territories.
5.2 Where Supplier Processes Customer Personal Data subject to the EU GDPR in a country outside the Permitted Territories, the parties enter into and agree to be bound by the provisions of the EU Processor to Processor Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU Standard Contractual Clauses”), and in relation to Supplier Processing Customer Personal Data subject to the UK GDPR the parties enter into and agree to be bound by the provisions of the UK International Data Transfer Addendum (“UK Addendum”), in each case, with Customer as “data exporter” and Supplier as “data importer.” In addition:
5.2.1 The optional language in Clause 7 of the EU Standard Contractual Clauses is excluded;
5.2.2 Option 1 is included in Clause 9 and the time period for notice shall be as set forth in Section 4 of this Addendum;
5.2.3 The optional language in Clause 11 is excluded;
5.2.4 In Clause 17, the governing law shall be the law of Ireland;
5.2.5 In Clause 18, disputes shall be resolved in the courts of Ireland;
5.2.6 The competent supervisory authority shall be the Irish Data Protection Commission; and
5.2.7 The remaining information required by the Annexes to the EU Standard Contractual Clauses is set forth in the Annexes to this Addendum.
5.3 Supplier hereby represents that:
5.3.1 it is not and will not be in breach of any provision of the EU Standard Contractual Clauses; and
5.3.2 it is not, and nor are any of its Sub-Processors, subject to the U.S. Foreign Intelligence Surveillance Act (“FISA”) or Executive Order 12333 (“EO”), and nor has Supplier or any Sub-Processor received any requests under Section 702 of the FISA or, to the best of Supplier’s knowledge, been subject to any action under the EO.
6. SECURITY
6.1 Supplier shall throughout the term of the Agreement and as long as Supplier is Processing Customer Personal Data, implement and maintain appropriate technical and organizational measures in relation to the Processing of Customer Personal Data to ensure a level of security appropriate to the risks which may occur as a result of Processing Customer Personal Data, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures shall be at least the minimum standard required by Data Protection Laws.
7. SECURITY INCIDENT NOTIFICATION
7.1 Supplier shall notify Customer without undue delay (and in any event within 72 hours) on becoming aware of a Security Incident and provide Customer with details of the Security Incident. To the extent available, these details shall include:
7.1.1 the nature of the Security Incident, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned;
7.1.2 the name and contact details of the data protection officer or other contact point of Supplier, where more information can be obtained;
7.1.3 description of the likely consequences of the Security Incident; and
7.1.4 description of the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Security Incident.
7.2 Supplier shall take all such actions as may be necessary or required by Customer to mitigate the impact of the Security Incident and provide all such timely information and assistance as Customer may require in order for Customer to meet any Security Incident notification obligations under Data Protection Laws.
7.3 To the extent Supplier claims any form of privilege under applicable laws over its investigation of the Security Incident (with the effect of withholding disclosure of information about the Security Incident from Customer), Supplier must conduct a concurrent, non-privileged investigation to provide all information about the Security Incident to Customer as required under this Addendum and Data Protection Laws.
7.4 Customer, in its sole discretion, will determine whether to notify a Supervisory Authority, Data Subjects or other third parties about a Security Incident. At Customer’s request, Supplier shall notify affected Data Subjects and other relevant parties about the Security Incident in a manner and format determined by Customer in its sole discretion. The content of any filings, press releases or other communications related to any Security Incident that references Customer must (unless prohibited by applicable laws) be approved by Customer prior to any publication or communication thereof by Supplier (or its representatives).
8. ASSISTANCE
8.1 Supplier shall notify Customer without undue delay (and in any event within two business days) of receiving a request from Data Subjects of Customer Personal Data exercising Data Subject Rights under Data Protection Laws, and shall not respond to any such requests except on the documented instructions of Customer.
8.2 To the extent related to its Processing of Customer Personal Data (taking into account the nature of Processing and the information available to Supplier), Supplier shall promptly provide Customer with reasonable assistance:
8.2.1 in complying with any requests received from Data Subjects of Customer Personal Data exercising Data Subject Rights under Data Protection Laws and any complaints received from Data Subjects;
8.2.2 to enable Customer to conduct data protection impact assessments and consultations with (or notifications to) a relevant Supervisory Authority where Customer is required to do so under Data Protection Laws, in connection with data protection impact assessments; and
8.2.3 in complying with its obligation to implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data.
9. DELETION OR RETURN OF DATA
9.1 Supplier shall, at the choice and discretion of Customer delete or return all Customer Personal Data to Customer in such form as Customer reasonably requests once Processing by Supplier of any Customer Personal Data is no longer required for the purposes of the Agreement, and delete all existing copies unless required by applicable laws to store Customer Personal Data, in which case Supplier shall inform Customer of any such requirement and at all times keep Customer Personal Data confidential. If following the termination of the Agreement, Customer does not indicate its intention to Supplier to delete or return all Customer Personal Data in line with this clause, Supplier shall delete all Customer Personal Data no later than 60 days following the termination of the Agreement (providing at least 15 days written notice to Customer prior to such deletion).
10. INFORMATION REQUESTS AND AUDITS
10.1 Supplier shall maintain written records of all categories of Processing activities carried out on behalf of Customer for the purposes of providing the Services and as required under Data Protection Laws.
11. COOPERATION WITH REGULATORS AND CONDUCT OF CLAIMS
11.1 Supplier shall immediately and without undue delay notify Customer of all inquiries and/or requests that Supplier receives from a Supervisory Authority that relate to the Processing of Customer Personal Data or either party's obligations under the Agreement or this Addendum, unless prohibited from doing so under applicable laws. If Supplier or Customer receives such an inquiry or request from a Supervisory Authority, Supplier shall promptly and without undue delay provide Customer with such information as Customer may reasonably request to satisfy such inquiry or request.
11.2 Unless Customer notifies Supplier that Supplier will be responsible for handling a particular communication or correspondence with a Supervisory Authority, or a Supervisory Authority requests in writing to engage directly with Supplier, Customer will handle all communications and correspondence relating to Customer Personal Data Processed pursuant to the Agreement.
11.3 In the event that Supplier receives a request, subpoena or other legal process that, where read in the broadest possible manner, would require disclosure or Processing of Customer Personal Data in a manner not expressly permitted by the Agreement or Supplier's written instructions, Supplier shall:
11.3.1 to the extent permitted by law, promptly notify Customer in writing as far as possible in advance of and prior to such disclosure or Processing to allow Customer to seek protective treatment of such Customer Personal Data;
11.3.2 reasonably cooperate with Customer’s efforts to obtain such protective treatment or similar relief;
11.3.3 disclose only the particular Customer Personal Data required to comply with its relevant legal obligations; and
11.3.4 thereafter continue to Process and maintain the confidentiality of such Customer Personal Data in accordance with this Addendum and any confidentiality provisions of the Agreement..
ANNEX 1
DATA PROCESSING DETAILS
1. SUBJECT-MATTER, NATURE AND PURPOSE OF THE PROCESSING:
The context for and purposes for the Processing of Customer Personal Data is Supplier's provision of the Services under the Agreement.
2. DURATION OF PROCESSING:
Supplier shall Process Customer Personal Data according to Supplier's retention obligations under this Addendum, provided that Supplier shall not Process Customer Personal Data shall for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).
3. PERSONAL DATA IN SCOPE:
Supplier may Process the following types/categories of Personal Data: First name, last name, email address, employer name
Supplier will not process Sensitive Personal Data or other special categories of Personal Data.
4. PERSONS AFFECTED (DATA SUBJECTS):
Supplier will process Customer Personal Data relating to:
Customer employees and customers of Customer.
5. DATA PROTECTION CONTACT POINTS:
ANNEX 2
SUB-PROCESSOR LIST