DATA PROCESSING ADDENDUM (“DPA”) VERSION 1 – INTELLICENE AS CUSTOMER’S PROCESSOR
This DPA forms part of the ORDER/ PROPOSAL/ SALE AGREEMENT (“Agreement”) between: (1) the applicable Intellicene contracting entity, as specified in the Agreement or any other wholly owned subsidiary of Intellicene (“Intellicene”) acting on its own behalf and as agent for each Intellicene Affiliate; and (2) the customer engaging with Intellicene under the Agreement (“Customer”) acting on its own behalf as agent for each Customer Affiliate (each being a “Party” and together “the Parties”). In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. Except where the context requires otherwise, references in this DPA to the Agreement are to the Agreement as amended by, and including, this DPA. DPA table of contents:- Terms of Processing
- Annex 1: Data Processing Instructions
- Annex 2: Information Security Schedule
-
Definitions
- In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- “Adequacy Decision” means, for a jurisdiction with Privacy Laws that have data transfer restrictions, a country that the Supervisory Authority or other body in such jurisdiction recognises as providing an adequate level of data protection as required by such jurisdiction’s Privacy Laws such that transfer to that country shall be permitted without additional requirements;
- “Affiliate” means any entity which now or in the future controls, is controlled by, or is under common control with the signatory to this DPA, with “control defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such person or entity, whether through the ownership of voting securities, by contract, or otherwise;
- “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, and in the context of this DPA shall mean the Customer;
- “Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller, and in the context of this DPA shall mean Intellicene;
- “Data Subject” means an identified or identifiable natural person to whom Personal Data relates;
- “Personal Data” shall have the meaning set out in, and will be interpreted in accordance with Privacy Laws, and in the context of this DPA, shall mean the personal data in Customer Data, Processed by Intellicene in accordance with the Services as outlined in Annex 1, which relates to a Data Subject;
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
- “Privacy Laws” means national, federal, union, state and other laws, as applicable to Personal Data in the context and jurisdiction of the Processing, concerning the regulation of the collection, retention, processing, data security, disclosure, trans- border data flows, use of web-site cookies, email communications, use of IP addresses and meta-data collection;
- “Process” or “Processing” means any operation or set of operations that is performed upon Personal Data in connection with the Services, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction, as described in Annex 1 ;
- “Restricted Transfer” means:
- a transfer of Personal Data from Customer to Intellicene; or
- an onward transfer of Personal Data from Intellicene to a Subprocessor, in each case, where such transfer outside of jurisdiction of Customer would be prohibited by Privacy Laws in the absence of an approved method of transfer, including through (a) an Adequacy Decision, (b) Standard Contractual Clauses, or (c) by the terms of other recognised forms of data transfer agreements or processes;
- “Services” means the services and other activities to be supplied to or carried out by or on behalf of Intellicene for Customer pursuant to the Agreement;
- “Standard Contractual Clauses” means the contractual clauses approved by a Supervisory Authority pursuant to Privacy Laws which provides for multi- jurisdictional transfer of Personal Data from one jurisdiction to another where such transfer would otherwise be a Restricted Transfer;
- “Subprocessor” means any third party (including any third party and any Intellicene Affiliate) appointed by or on behalf of Intellicene to undertake Processing in connection with the Services; and
- “Supervisory Authority” means an independent public authority which is established in a jurisdiction under Privacy Laws with competence in matters pertaining to data protection.
- The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
- References in this DPA to Intellicene include to Intellicene Affiliates where such Intellicene Affiliates are Subprocessors.
- The terms used in this DPA shall have the meanings set forth in this DPA provided that capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain unchanged and in full force and effect.
- In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
-
Processing of Personal Data
- Intellicene will not:
- Process Personal Data other than on Customer’s documented instructions (set out in this DPA and in the Agreement) unless Processing is required by a Supervisory Authority; or
- sell Personal Data received from Customer or obtained in connection with the provision of the Services to Customer.
- Customer on behalf of itself and each Customer Affiliate:
- instructs Intellicene:
- to Process Personal Data; and
- in particular, transfer Personal Data to any country or territory; in each case as reasonably necessary for the provision of the Services and consistent with this DPA.
- instructs Intellicene:
- Annex 1 sets out the subject matter and other details regarding the Processing of the Personal Data contemplated as part of the Services.
- Intellicene will not:
- Intellicene Personnel
Intellicene shall ensure that persons authorised to undertake Processing of the Personal Data have:
- committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in respect of the Personal Data; and
- undertaken appropriate training in relation to protection of Personal Data.
- Intellicene shall not operate or support the actual operation of its products and other solutions in Customer’s real-life environment or in relation to Customer’s objectives.
Security
Subprocessing
Data Subject Rights
Personal Data Breach
Data Protection Impact Assessment and Prior Consultation
Deletion or return of Personal Data
Review, Audit and Inspection rights
Restricted Transfers
Other Privacy Laws
General Terms
CUSTOMER (AS DEFINED ABOVE) Signature Name Title Date Signed , 20 | Intellicene Signature: Name as indicated on the above e-signature Title as indicated on the above e-signature Date Signed: as indicated on the above e-signature |
- Annex 1: Data Processing Instructions
- Annex 2: Information Security Schedule
ANNEX 1: DATA PROCESSING INSTRUCTIONS APPLICABLE TO NOWFORCE (SAAS) SOLUTION
Solution | NowForce |
Processing Activity: Support | Product Support may be provided by Intellicene in accordance with Intellicene’s Support Plan. Support may be provided either in the context of Software or Hosted Subscription Services. The Agreement and Order will set out the applicable Support Plan and that Support Plan sets out information on how Support is provided. When providing Support, Intellicene may be required by Customer to Process Personal Data. Intellicene may access and/or receive Personal Data when providing Support. Personal Data is not accessed and/or received in every service Support case because some errors can be analysed and rectified without such access if the background to the error is known. Depending on the issue, Intellicene Affiliates (listed below) may provide Support and therefore an international transfer of Personal Data may occur pursuant to Section 11 of the DPA. |
Processing Activity: Professional Services | If, as part of an Order, Customer requires Intellicene to perform professional services to assist in deployment of the product or Managed Services during the term, then Intellicene may be required by Customer to Process Personal Data as part of this engagement. |
Processing Activity: Hosted Subscription Services | Customer will upload data to the Hosted Subscription Services in order to maximise the functionality of the product. Some of the data which may be uploaded to the Hosted Subscription Services includes Personal Data. Intellicene will host (storage) the data on behalf of Customer in accordance with the terms and conditions of service under the Agreement as mutually agreed to by the Parties. Intellicene may use a Subprocessor to deliver cloud hosting services as outlined below. Customer will determine how and why the product will be used to its benefit which may include the frequent or infrequent use of Personal Data. Customer acknowledges that in relation to these Processing operations, Intellicene has no control over the submission of Data Subject’s Personal Data and that the design of the data to be submitted to Intellicene’s hosted services is at all times under the control of Customer. Except for the underlying cloud storage of the SaaS services (and the provision of Support, if applicable, described above), Intellicene is not involved in any Processing activities associated with this use of the product. If, as part of an Order, Customer requires Intellicene to perform professional services to assist in deployment of the product or Managed Services during the Term, then Intellicene may be required by Customer to Process Personal Data for those purposes. |
Categories of Personal Data |
|
Special Categories of Personal Data | As Additional Categories of Personal Data may be provided by Customer either as part of a Support request or through Customer’s use of Hosted Subscription Services it is possible that from time-to-time Customer instructs Intellicene to Process Special Categories of Data. Intellicene’s products do not typically process Special Categories of Personal Data however Customer may determine that such categories will be Processed. Where applicable, Customer must inform Intellicene of this intention prior to conducting the Processing. |
Data Subjects | Employees, clients, customers and suppliers of Customer. Employees or contractors of Customer who contact Intellicene’s technical support facilities. Customer determines which Data Subjects form part of the Processing and therefore these categories may change depending on Customer’s use of the product. |
Duration of Processing | Support & Professional Services: Personal Data is processed only for as long as is necessary to provide the particular Support and/or Professional Services. SaaS: Personal Data is stored for the duration of the Services and is deleted or returned to Customer as set out under Section 9 of the DPA or as otherwise amended or deleted by Customer during the Term. |
Intellicene Affiliate(s) as Subprocessors | The following non-exhaustive list of Intellicene Affiliates may be considered Subprocessors in circumstances set out in this table and may provide technical support services, project related services, back office systems, data transfer and storage, and backup and disaster recovery services: EMEA: Intellicene Software UK Limited, UK; Symphia Intellicene Software Ltd., Israel. Americas: Intellicene Software Ltda., Brazil; Enterprise Intellicene Canada Inc.,Canada APAC: Intellicene India Private Limited, India. |
ANNEX 2: INFORMATION SECURITY SCHEDULE
- Intellicene shall enforce complex passwords using built in system settings of at least 8 characters. Intellicene shall require password changes at least every ninety (90) days. Intellicene administrators shall use multi-factor authentication for access to the production environment(s).
- Access to Intellicene’s production environment(s) is controlled at four distinct hierarchical levels: the hosting partner level, the SaaS operations team level, the Intellicene network security level, and the application level. Access control is required for each of these levels to provide the optimal level of security for the solution.
- An Intellicene hosting partner’s role is to design, deploy, secure, make available, and support the systems upon which Intellicene’s SaaS solutions are installed and delivered to Intellicene’s customers (end users). The hosting partners have primary control over the data centers, systems, and networks upon which Intellicene’s SaaS solutions operate. The hosting partner provides Intellicene’s SaaS operations team with the initial credentials required to access the hosted systems and support portals.
- Intellicene’s security procedures shall require that any Customer Data stored by Intellicene only be stored using secure data encryption algorithms and key strengths of 128-bit symmetric and 1024-bit asymmetric or greater. Intellicene shall monitor Industry Standards and implement an action plan if key lengths in use can be compromised through commercially reasonable means.
- Intellicene will maintain a key management process that includes appropriate controls to limit access to private keys and a key revocation process. Private keys, and passwords shall not be stored on the same media as the data they protect.
- Intellicene will prohibit Intellicene Personnel from the download, extraction, storage or transmission of Customer Data through personally owned computers, laptops, tablet computers, cell phones, or similar personal electronic devices except where enrolled in Intellicene’s Mobile Device Management (MDM), Information Rights Management (IRM), or other security programs. If personal computers or mobile devices are used to perform any part of the Hosted Subscription Services, Intellicene will encrypt all Customer Data on such mobile devices.
- Intellicene agrees that any and all electronic transmission or exchange of Customer Data shall be protected by a secure and encrypted means (e.g. HTTPS, SSH, encryption using TLS on gateway while sending emails).
- Customer Data stored as a part of the Hosted Subscription Services shall reside only on Intellicene production systems housed in Intellicene hosting partner data centers, unless noted in a SOW or required with respect to professional service engagements or performance of support services. Any storage of Customer Data on Intellicene premises is temporary and is used strictly for support and services engagements. Once Customer Data on Intellicene premise has served its purpose, it shall be promptly destroyed in accordance to Intellicene’s confidential data destruction procedures.
- Intellicene will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. Intellicene will ensure that transfers of Personal Data to a third country or an international organization are subject to appropriate safeguards as described in Article 46 of the GDPR and that such transfers and safeguards are documented according to Article 30(2) of the GDPR.
- Intellicene will utilize up-to-date and comprehensive virus and malware protection capabilities, and commercially reasonable practices, including detection, scanning and removal of known viruses, worms and other malware on the Intellicene’s hosting systems. These virus protection capabilities will be in force on all computers and/or devices utilized in connection with the technology services, as well as on all data files or other transfers that have access or are connected to Intellicene’s hosting system.
- If a virus, worm or other malware causes a loss of operational efficiency or loss of data, Intellicene will mitigate losses and restore data from the last virus free backup to the extent practicable.
- Intellicene shall obligate its hosting partners to provide a multiple layered security approach. This shall include perimeter firewalls, DMZ, one or more internal network segments, and network intrusion detection monitors for attempted intrusion to the production environment. Network vulnerability scans shall be conducted regularly and issues addressed according to Industry Standard change control processes.
- Intellicene shall mitigate security vulnerabilities through the use of perimeter and host countermeasures such as intrusion prevention, web application firewall, IP address shunning, and other measures designed to prevent successful exploitation of vulnerabilities.
- Intellicene and its hosting partners shall proactively address security risks by applying released security patches, including, as example, Windows security patching and updates to patch known vulnerabilities in an applicable operating system. Patches shall be deployed to production via Intellicene’s change management process. Intellicene shall test all patches in its test environment prior to release to production. If a patch degrades or disables the production environment, Intellicene shall continue to mitigate vulnerabilities until a patch is provided by the software or operating system manufacturer that does not degrade or disable production. Such mitigation efforts may include intrusion prevention, web application firewall, and other measures chosen by Intellicene to reduce likelihood or prevent successful access to Customer Data by an unauthorized party.
- Each month, Intellicene and its hosting partners shall schedule maintenance windows to perform data center, system, and application maintenance activities. Intellicene shall notify Customer in advance of any scheduled maintenance activity that is expected to disrupt the Hosted Subscription Services functionality.
- Intellicene shall retain security logs for a minimum of thirty (30) days online and ninety (90) days archived. Intellicene may retain logs for a longer period at its sole discretion.
- Intellicene shall maintain business continuity and disaster recovery plans specific to its Hosted Subscription Services, and shall include data center failover configurations.
- Intellicene shall maintain a backup of all Customer Data that Intellicene is required to retain as a part of the Hosted Subscription Services. In the event Customer Data becomes destroyed or corrupt, Intellicene shall use commercially reasonable efforts to restore all available data from backup, and remediate and recover such corrupt data.
- Use commercially reasonable measures to detect product vulnerabilities prior to release. These measures may include manual test scripts, test automation, dynamic code analysis, static code analysis, penetration testing, or other measures chosen by Intellicene. Intellicene shall update procedures and processes from time to time to improve detection of vulnerabilities within its products.
- Intellicene’s developers shall not intentionally write, generate, compile, copy, collect, propagate, execute or attempt to introduce any computer code designed to self-replicate, damage or otherwise hinder the performance of any systems or network.
- Intellicene’s developers shall receive regular training on coding and design with respect to application security.