1. SUBJECT MATTER OF THIS ADDENDUM.
1.1. This Data Processing Addendum (this “Addendum”) applies solely to the processing of personal data that is subject to EU Data Protection Law within the scope of the Reseller Agreement, Master Services Agreement, or similar agreement, and any Statement of Work entered into pursuant thereto, as the same may be amended from time to time, for the provision of services (“Services”) (hereinafter to be collectively referred to as the “Services Agreement”) by ProSOC, Inc. dba “Proficio”, a Delaware corporation, its subsidiaries, parents, affiliates, successors and/or assigns (“Proficio”) to the customer (the “Customer”).
1.2. The term “EU Data Protection Law” shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).
1.3. Terms such as “Processing”, “Personal Data”, “Customer” and “Processor” shall have the meaning ascribed to them in the EU Data Protection Law.
1.4. Insofar as Proficio will be processing Personal Data subject to EU Data Protection Law on behalf of the Customer in the course of the performance of the Services Agreement with the Customer the terms of this Data Protection Addendum shall apply.
2. THE CUSTOMER AND PROFICIO.
2.1. The Customer is solely responsible for determining the scope, purposes, and manner by which the Personal Data may be accessed or processed by Proficio. Proficio will process the Personal Data as set forth in the Services Agreement and this Addendum.
2.2. The Customer shall immediately inform Proficio if, in its opinion, the Customer’s instructions infringe the GDPR or other Union or Member State data protection provisions.
2.3. Customer warrants that it has all necessary rights to provide the Personal Data to Proficio for the Processing to be performed in relation to the Services. To the extent required by Applicable Data Protection Law, Customer is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the data subject, Customer is responsible for communicating the fact of such revocation to Proficio.
3.1. Without prejudice to any existing contractual arrangements between the parties, Proficio shall treat all Personal Data as strictly confidential and it shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. Proficio shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the parties, the Customer and Proficio shall implement such commercially reasonable technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk as Proficio deems appropriate. These measures shall include as appropriate:
- (a) commercially reasonable measures to ensure that the Personal Data is accessed only by authorized personnel for the purposes set forth in the Services Agreement;
- (b) in assessing the appropriate level of security, Proficio shall take into account the risks that are reasonably understood by Proficio to be presented by the processing;
- (c) the commercially reasonable ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services;
- (d) the commercially reasonable ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- (e) a commercially reasonable process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data;
- (f) commercially reasonable measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Customer.
4.2. Proficio shall at all times have in place a commercially reasonable written security policy with respect to the processing of Personal Data, outlining in any case the measures set forth in Article 4.1.
5. IMPROVEMENTS TO SECURITY.
5.1. Proficio will evaluate the measures as implemented in accordance with Article 4 on a commercially reasonable basis and will amend these measures if necessary in order to maintain compliance with the requirements set out in Article 4. The parties will negotiate the cost, if any, to implement any such changes required by specific security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction.
5.2. If an amendment to the Services Agreement is necessary in order to execute a Customer instruction to Proficio to improve security measures as may be required by changes in applicable data protection law from time to time, the parties will negotiate the cost, if any, to implement any such changes.
6. DATA TRANSFERS.
6.1. Proficio shall immediately notify the Customer of any transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection. The Customer agrees that Proficio’s Security Operations Centers observe an adequate level of protection and grants its consent to any transfers of Personal Data to Proficio Security Operations Centers located in the United States or Singapore.
7. INFORMATION OBLIGATIONS AND INCIDENT MANAGEMENT.
7.1. When Proficio becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Services Agreement, it shall notify the Customer about the incident, shall reasonably cooperate with the Customer, and shall follow the Customer’s commercially reasonable requests with regard to such incidents, to assist the Customer in performing an investigation into the incident and to formulate and implement a commercially reasonable response.
7.2. The term “incident” used in Article 7.1 shall be understood to mean in any case: (a) a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; (b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) any breach of the security and/or confidentiality as set out in Articles 3 and 4 of this Addendum leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; and (e) where, in the opinion of Proficio, implementing an instruction received from the Customer would violate applicable laws to which the Customer or Proficio are subject.
7.3. Proficio shall have in place written procedures which enable it to respond to the Customer about an incident. Where the incident is reasonably likely to require a data breach notification by the Customer under applicable EU Data Protection Law, Proficio shall implement its written procedures in such a way that it is in a position to notify the Customer no later than 24 hours of having become aware of such an incident.
7.4. Any notifications made to the Customer pursuant to this Article 7 shall contain to the extent commercially reasonable: (a) a description of the nature of the incident; (b) the name and contact details of Proficio’s contact point where more information can be obtained; (c) a description of the known consequences of the incident, if any; and (d) a description of the measures taken or proposed to be taken by Proficio to address the incident.
8. CONTRACTING WITH SUB-PROCESSORS.
8.1. The Customer authorizes Proficio to engage sub-processors for Service-related activities as reasonably determined by Proficio.
8.2. Proficio shall use commercially reasonable efforts to require that any sub-processor is bound by the same data protection obligations of Proficio under this Addendum.
9. DESTRUCTION OF PERSONAL DATA.
9.1. All Personal Data of the Customer shall be destroyed as set forth in the Services Agreement.
10. ASSISTANCE TO CUSTOMER.
10.1. Upon the Customer’s written request, Proficio shall use its commercially reasonable efforts to assist the Customer to fulfill the Customer’s obligation to respond to requests for exercising the Customer’s data subject’s rights under the GDPR. Proficio reserves the right to charge for such assistance.
10.2. Proficio shall assist the Customer in ensuring compliance with the obligations pursuant to Section 4 (Security) and prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of processing and the information available to Proficio.
11. INCORPORATION OF SERVICES AGREEMENT.
11.1 This Addendum is subject in all respects to the terms and provisions of the Services Agreement, all of which are by this reference made a part of and incorporated in this Addendum. Any capitalized term not defined in this Addendum shall have the meaning ascribed to it in the Services Agreement. If and to the extent this Addendum and the Services Agreement conflict, the Services Agreement shall control.