Data Processing Addendum
Last updated: 08/10/22
SMART OMIX DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) forms part of the agreement between Customer and Sharecare covering Customer’s use of the “Services” as defined in the Platform Agreement between Sharecare and Customer (the “Agreement”).
A. “Applicable Data Protection Law” refers to all laws and regulations applicable to Sharecare’s processing of personal data under the Agreement.
B. “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
C. “Customer Account Data” means personal data that relates to Customer’s relationship with Sharecare, including the names or contact information of individuals authorized by Customer to access Customer’s account, and billing information of individuals that Customer has associated with its account.
D. “Customer User Content” means personal data exchanged as a result of using the Services, such as study content, study participant data, and study results, but excluding participant account data that is considered part of the Customer Usage Data as defined below.
E. “Customer Usage Data” means data processed by Sharecare for the purposes of transmitting or exchanging Customer User Content, including but not limited to personal data of study participants that is used to establish an account with Sharecare but not to the extent such data is so intermingled with a particular study as to become Customer User Content.
F. “personal data” means any information relating to an identified or identifiable natural person (“data subject”) as defined under the Applicable Data Protection Law. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
H. “processor” means the entity which processes personal data on behalf of the controller.
I. “processing” (and “process”) means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
J. “Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer User Content.
K. “Sensitive Data” means (i) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (ii) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (iii) employment, financial, genetic, biometric or health information; (iv) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (v) account passwords, mother’s maiden name, or date of birth; (vi) criminal history; or (vii) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable law or regulation relating to privacy and data protection.
L. “Standard Contractual Clauses” means, as set forth on Schedule 3 attached hereto, (i) the standard contractual clauses adopted by the European Commission on 4 June 2021 for the transfer of personal data to third countries pursuant to the GDPR (“SCCs”); (ii) the standard contractual clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection annexed to Commission Decision of 5 February 2010 as adopted by the UK pursuant to the EU Withdrawal Act of 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations of 2019 (“UK Controller-to-Processor SCCs”).
M. “subprocessor” means (i) Sharecare, when Sharecare is processing Customer User Content and where Customer is a processor of such Customer User Content or (ii) any third-party processor engaged by Sharecare to process Customer User Content in order to provide the Services to Customer.
N. “Third Party Request” means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.
Capitalized terms not defined in this section will have the meaning given to them in this Addendum or the Agreement.
Controller and Processor
A. Sharecare as a Processor. The parties acknowledge and agree that with regard to the processing of Customer User Content, Customer is a controller and Sharecare is a processor. Sharecare will process Customer User Content in accordance with Customer’s instructions as set forth in the section title Customer Instructions.
D. Purpose Limitation. Sharecare will process personal data in order to provide the Services in accordance with the Agreement. Schedule 1 (Details of Processing) of this Addendum further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.
E. Compliance. Customer is responsible for ensuring that (i) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own processing of personal data and (ii) it has, and will continue to have, the right to transfer, or provide access to, personal data to Sharecare for processing in accordance with the terms of the Agreement and this Addendum. Customer and Sharecare, respectively, will notify the other party no later than five business days after it makes a determination that it can no longer meet its obligations under the Applicable Data Protection Law.
Sharecare as a Processor – Processing Customer User Content
A. Customer Instructions. Customer appoints Sharecare as a processor to process Customer User Content on behalf of, and in accordance with, Customer’s instructions (i) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer, and which includes investigating security incidents and preventing spam, fraudulent activity, and violations of the Sharecare Acceptable Use Policy, and detecting and preventing network exploits or abuse; (ii) as necessary to comply with applicable law or regulation, including Applicable Data Protection Law; and (iii) as otherwise agreed in writing between the parties (“Permitted Purposes”). Sharecare may not retain, use, or disclose Customer User Content for any commercial or other purpose, except for the Permitted Purposes or as otherwise permitted by the Applicable Data Protection Law. Without limiting the generality of the foregoing, Sharecare will not retain, use, or disclose Customer User Content outside the direct business relationship between Customer and Sharecare.
B. Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Sharecare is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether Sharecare’s provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that Sharecare’s processing of Customer User Content, when done in accordance with Customer’s instructions, will not cause Sharecare to violate any applicable law or regulation, including Applicable Data Protection Law.
C. Additional Instructions. Additional instructions outside the scope of the Agreement or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by Customer to Sharecare for carrying out such additional instructions.
A. Responding to Third Party Requests. In the event any Third Party Request is made directly to Sharecare in connection with Sharecare’s processing of Customer User Content, Sharecare will promptly inform Customer and provide details of the same, to the extent legally permitted. Sharecare will not respond to any Third Party Request without Customer’s prior consent, except as legally required to do so or to confirm that such Third Party Request relates to Customer.
B. Confidentiality Obligations of Sharecare Personnel. Sharecare will ensure that any person it authorizes to process Customer User Content has agreed to protect personal data in accordance with Sharecare's confidentiality obligations in the Agreement.
A. Authorization for Subprocessing. Customer provides a general authorization for Sharecare to engage onward subprocessors that is conditioned on the following requirements:
(i) Sharecare will restrict the onward subprocessor’s access to Customer User Content only to what is strictly necessary to provide the Services, and Sharecare will prohibit the subprocessor from processing the personal data for any other purpose;
(ii) Sharecare agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any subprocessor it appoints that require such subprocessor to protect Customer User Content to the standard required by Applicable Data Protection Law; and
(iii) Sharecare will remain liable for any breach of this Addendum that is caused by an act, error, or omission of its subprocessors.
B. Current Subprocessors and Notification of Subprocessor Changes. Customer consents to Sharecare engaging third party subprocessors to process Customer User Content within the Services for the Permitted Purposes. Sharecare will provide Customer with a current list of Subprocessors upon Customer’s request. Sharecare will provide details of any change in subprocessors as soon as reasonably practicable.
C. Objection Right for new Subprocessors. Customer may object to Sharecare's appointment or replacement of a subprocessor, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach a resolution within ninety (90) days from the date of Sharecare’s receipt of Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to Sharecare. Such discontinuation will be without prejudice to any fees incurred by Customer prior to the discontinuation of the affected Services.
Data Subject Rights
In the event that either party receives any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) requiring action by the other party under the Applicable Data Protection Law, such party will promptly inform such other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third Party Request as necessary and fulfill their respective obligations under Applicable Data Protection Law.
Upon Customer’s request, Sharecare will provide reasonable additional and timely assistance to assist Customer in complying with its data protection obligations with respect to data subject rights under Applicable Data Protection Law.
Impact Assessments and Consultations
Sharecare will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require Sharecare to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
Return or Deletion of Customer User Content
A. Sharecare will, in accordance with Section 3 (Duration of the Processing) of Schedule 1 (Details of Processing) of this Addendum, delete or return to Customer any Customer User Content stored within the Services.
B. Upon termination of the Agreement, Sharecare may retain Customer User Content in storage for the time periods set forth in Schedule 1 (Details of Processing) of this Addendum, provided that Sharecare will ensure that Customer User Content (a) is processed only as necessary for the Permitted Purposes and (b) remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
C. Notwithstanding anything to the contrary in this section, Sharecare may retain Customer User Content, or any portion of it, if required by applicable law or regulation, including Applicable Data Protection Law, provided such Customer User Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
Security and Audits
A. Security Measures. Sharecare has implemented and will maintain the technical and organizational security measures as set forth in the Agreement. Additional information about Sharecare’s technical and organizational security measures to protect Customer User Content is set forth in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.
B. Determination of Security Requirements. Customer acknowledges the Services include certain features and functionalities that Customer may elect to use which impact the security of Customer User Content processed by Customer’s use of the Services. Customer is responsible for reviewing the information Sharecare makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the Services and using features and functionalities made available by Sharecare to maintain appropriate security in light of the nature of Customer User Content processed as a result of Customer’s use of the Services.
C. Security Incident Notification. Sharecare will provide notification of a Security Incident in the following manner:
(i) Sharecare will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than seventy-two (72) hours after Sharecare’s discovery of a Security Incident impacting Customer User Content of which Sharecare is a processor;
(ii) Sharecare will notify Customer of any Security Incident via email to the email address(es) designated by Customer in Customer’s account.
Sharecare will make reasonable efforts to identify a Security Incident, and to the extent a Security Incident is caused by Sharecare’s violation of this Addendum, remediate the cause of such Security Incident. Sharecare will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.
D. Audits. The parties acknowledge that Customer must be able to assess Sharecare’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as Sharecare is acting as a processor on behalf of Customer.
E. Sharecare’s Audit Program. Sharecare uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer User Content. Such audits are performed at least once annually at Sharecare’s expense by independent third-party security professionals at Sharecare’s selection and result in the generation of a confidential audit report (“Audit Report”).
F. Customer Audit. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Sharecare will make available to Customer a copy of Sharecare’s most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Law will be satisfied by these Audit Reports. To the extent that Sharecare’s provision of an Audit Report does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with Sharecare that: (i) ensures the use of an independent third party; (ii) provides written notice to Sharecare in a timely fashion; (iii) requests access only during business hours; (iv) accepts billing to Customer at Sharecare’s then-current rates; (v) occurs no more than once annually; (vi) restricts its findings to only data relevant to Customer; and (vii) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
A. Location of Data. All data processed by Sharecare under the Agreement will be housed in the United States of America.
B. Cross Border Data Transfer Mechanisms for Data Transfers. To the extent Customer’s use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area, the United Kingdom, Switzerland, or any other jurisdiction listed in Schedule 3 (Standard Contractual Clauses) of this Addendum) to Sharecare located outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in Schedule 3 of this Addendum will apply.
B. Failure to Perform. In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the parties may renegotiate this Addendum in good faith. If renegotiation would not cure the impossibility or the parties cannot reach an agreement, the parties may mutually agree to terminate the Agreement for convenience.
C. Updates. Sharecare may update the terms of this Addendum from time to time; provided, however, Sharecare will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services. The then-current terms of this Addendum are available at https://www.smartomix.com/dpa.
DETAILS OF PROCESSING
1. Nature and Purpose of the Processing. Sharecare will process personal data as necessary to provide the Services under the Agreement and this Addendum. Sharecare does not sell Customer’s personal data or Customer end users’ personal data and does not share such end users’ personal information with third parties for compensation or for those third parties’ own business interests.
1.1 Customer User Content. Sharecare will process Customer User Content as a processor in accordance with Customer’s instructions as set forth in the section titled Customer Instructions.
1.2 Customer Account Data. Sharecare will process Customer Account Data as a controller for the purposes set forth in subsection (b) of the section titled Controller and Processor (Sharecare as a Controller of Customer Account Data).
1.3 Customer Usage Data. Sharecare will process Customer Usage Data as a controller for the purposes set forth in subsection (c) of the section titled Controller and Processor (Sharecare as a Controller of Customer Usage Data).
2. Processing Activities. Personal data will be subject to the processing activities of providing the Services.
3. Duration of the Processing. The period for which personal data will be retained and the criteria used to determine that period is as follows:
3.1 Customer User Content.
(a) Services. Prior to the termination of the Agreement, (x) Sharecare will process stored Customer User Content for the Permitted Purposes until Customer elects to delete such Customer User Content via the Services and (y) Customer agrees that it is solely responsible for deleting Customer User Content via the Services. Upon termination of the Agreement, Sharecare will (i) provide Customer thirty (30) days after the termination effective date to obtain a copy of any stored Customer User Content via the Services; (ii) automatically delete any stored Customer User Content thirty (30) days after the termination effective date; and (iii) automatically delete any stored Customer User Content on Sharecare’s back-up systems sixty (60) days after the termination effective date. Any Customer User Content archived on Sharecare’s back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law or regulation.
3.3 Customer Usage Data. Upon termination of the Agreement, Sharecare may retain, use, and disclose Customer Usage Data for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. Sharecare will anonymize or delete Customer Usage Data when Sharecare no longer requires it for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1.
4. Categories of Data Subjects.
4.1 Customer User Content. Customer’s end users.
4.2 Customer Account Data. Customer’s employees and individuals authorized by Customer to access Customer’s Sharecare account.
4.3 Customer Usage Data. Customer’s end users and Customer’s employees and individuals authorized by Customer to access Customer’s Sharecare account.
5.Categories of Personal Data. Sharecare processes personal data contained in Customer Account Data, Customer User Content, and Customer Usage Data.
6. Sensitive Data or Special Categories of Data.
6.1 Customer User Content. Sensitive Data (including health information) may, from time to time, be processed via the Services where Customer or its end users choose to include Sensitive Data within the communications that are transmitted using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s end users to transmit or process, any Sensitive Data via the Services.
6.2 Customer Account Data and Customer Usage Data.
(a) Sensitive Data may be found in Customer Usage Data in the form of health information submitted by the end user and used to populate the end user’s profile.
(b) Customer Account Data does not contain Sensitive Data.
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
For the purposes of this Information Security Addendum (“ISA”), “Vendor” shall mean Sharecare Operating Company, Inc., and “Customer” shall mean the entity to which Vendor is providing services in the agreement this ISA appends.
I. Purpose & Disclaimer
This Sharecare Information Security Addendum ("ISA") describes the minimum information security program requirements implemented and maintained by Vendor during the course of its performance of services for Customer. Vendor may have additional privacy and security obligations under the terms of other policies or provisions in its contractual relationship with Customer.
- Information Security - the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
- Incident Management – the defined process of monitoring and detection of security events on a computer or computer network and the execution of proper responses to those events.
- Exception Management – an established process to document and maintain appropriate management approvals for areas, processes or events that do not meet the company defined security policies.
- Customer Confidential Data – any Customer customer/member records or personal data in the possession of, or accessible by, Vendor or its computer or communication system(s), including personal data of any kind. Examples of this include PHI and PII data, pricing data, and Customer intellectual property.
- Cyber Security Insurance - insurance designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.
- Demilitarized Zone (DMZ) - a middle ground between an organization's trusted internal network and an untrusted, external network such as the Internet. Also called a "perimeter network," the DMZ is a subnetwork (subnet) that may sit between firewalls or off one leg of a firewall. Organizations typically place their web, mail and authentication servers in the DMZ.
III. Security Program and Policy
- Consistent with applicable data security laws and regulatory requirements, Vendor shall:
- implement, enforce, and update Information Security policies, standards, processes, and procedures;
- develop Information Security strategy and maintain sufficient security budget to successfully implement the strategy; and
- establish critical security processes such as Incident Management and Exceptions Management.
- Information Security policies must be reviewed and approved by Vendor management no less frequently than annually.
- Security Risk Management Program – Vendor must maintain a formal risk management function and methodically identify, analyze and mitigate security and technology risks.
- Sub-contractor Security Program – Vendor must require and verify that its subcontractors maintain security program standards that meet or exceed those of the Vendor.
IV. Human Resources
- A security training and awareness program must be in place for all Vendor employees and contractors, and training shall take place upon hire and no less frequently than annually. Upon request, Vendor shall provide Customer with written attestation that all employees and contractors have completed training.
- Upon hire, Vendor shall conduct background checks on all new employees and contractors.
- Vendor agrees that any employee or contractor who violates the security requirements of this ISA will be immediately removed and prohibited from providing services to Customer under any agreement, including statements of work or engagement letters, entered into between Customer and Vendor.
- All Vendor employee and contractor access must be deleted or disabled within 24 hours of termination. In the case of hostile terminations of employees or contractors, access must be deleted or disabled immediately.
V. Physical, Data and Environmental Security
- Access for all persons to Vendor premises, buildings, and areas must be justified, authorized, logged and monitored. Appropriate steps must be taken by Vendor to protect documents and media containing sensitive information.
- Upon confirmed breach of this ISA and Customer’s request, Vendor shall provide complete and auditable records of employees and contractors who may have had access to Customer Confidential Data, including at a minimum, their identity and date and time of access.
- All Customer Confidential Data shall be stored in a secure data center, and such data center shall provide to Customer upon request an ISO 27001 certificate or a Service Organization Control (SOC 2) report.
- All Customer Confidential Data must be encrypted in transit and at rest.
VI. Audits, Assessments, Certifications and Insurance
- Notice of Audits and Certifications. Upon request from Customer, Vendor shall provide Customer with data relating to the following audits of and certifications relating to Vendor’s business and operations:
- External Network Security Assessment. No less frequently than annually, Vendor shall engage an independent third party to complete an external network assessment that shall include in the scope the services provided to Customer. Vendor shall provide Customer with the full report or at a minimum a signed letter of attestation from this assessor and an overview of any critical or high issues noted by third party.
- Internal Network Security Assessment. No less frequently than biennially, Vendor shall engage an independent third party to complete an internal network assessment (including social engineering tests) that shall include in the scope the services provided to Customer. Vendor shall provide Customer with the full report or at a minimum a letter of attestation from this assessor and an overview of any critical or high issues noted by third party.
- Customer Assessment. Upon request and 60 days advanced notice, Customer or a third party on Customer’s behalf may perform an audit to ensure compliance with this Document. Vendor is responsible for ensuring appropriate personnel are available for questions and ensuring audit records are provided in a timely manner. Any critical or high issues noted during audit must be remediated within mutually agreeable timeframe.
ii. Vendor must maintain Cyber Security Insurance policy that includes services provided to Customer.
VII. Network Security and Other Security Controls
- Perimeter Defense – Vendor must deploy a multilayered perimeter defense of its system by use of firewalls, proxies and DMZs. Vendor must implement and maintain rules for allowing inbound and outbound traffic.
- Data Loss Prevention – Vendor must monitor networks, user activities and system processes to prevent and detect unauthorized data movements.
- Malware Defenses - Vendor must monitor workstations, servers, and mobile-devices for active, up-to-date anti-malware protection with anti-virus, and procedures to ensure antivirus checking for all incoming files.
- Access Control – All access must follow the minimal necessary and “least privileged” principles. Vendor must maintain appropriate access by implementing access approval, termination and revalidation processes and procedures. This should include appropriate segregation of duties (e.g., developers do not have access to production data, etc.).
- Controlled Use of Administrative Privileges – Vendor must ensure all service accounts have long and difficult-to-guess passwords that are changed on a periodic basis or is set to not allow interactive login. Passwords for all systems must be stored in a hashed or encrypted format.
- Secure Configurations – Vendor must develop, implement, and maintain secure configuration standards for hardware and software, including networking devices, operating systems, databases and applications. Vendor must enforce use of strong authentication and secure protocols.
- Maintenance, Monitoring and Analysis of Audit Logs – Vendor must log user and system activities around data, ensure integrity of log files, and implement activity review procedures and tools.
- Inventory of Information Assets – Vendor must maintain a detailed inventory of information assets complete and accurate with proper classification, ownership, location, value and criticality.
- Change Management – Vendor must use formal, documented change management procedures for any modifications to systems, infrastructure, equipment, software/applications, or other elements related to the services performed for Customer.
VIII. Vulnerability Management and Application Security Testing
- Application Software Security - Both internally developed and third-party application software must be carefully tested by Vendor for security vulnerabilities. For third-party software, Vendor must verify that its suppliers have conducted detailed security testing of their products. For in-house developed applications, Vendor must conduct such testing itself or engage an outside firm to complete the testing. Findings must be remediated within an established reasonable timeframe. Vendor’s developers must be trained in secure coding techniques and security testing integrated into the System Development Lifecycle.
- Continuous Vulnerability Assessment and Remediation – Vendor must maintain vulnerability and patch management processes for all software and hardware. All servers and workstations must be scanned by Vendor for vulnerabilities no less than monthly, and have defined remediation timelines to remediate any vulnerabilities that are noted.
- Corrective Action. If during an audit Vendor is found to be not compliant with the stipulations in this ISA, a corrective action plan will be put in place and reviewed yearly if not closed.
IX. Business Continuity Management Program
- Business Continuity Program - At all times during the term of its agreements with Customer, including statements of work and engagement letters, Vendor will maintain and adequately support a Business Continuity Management Program that ensures the continuous operation and, in the event of an interruption, the recovery of all material business functions needed to meet Vendor’s contractual obligations to Customer.
- Business Continuity Plan (which includes a Disaster Recovery (IT) Plan) - Vendor shall develop, implement, maintain, and exercise a written Business Continuity Plan (the "Plan").
- Delivery of the Plan - Upon request from Customer and within 30 days, Vendor shall provide review to Customer of Vendor’s then-current official company Plan.
- Content - The Plan must, at a minimum, describe the actions and resources required to provide for the continuous operation, and in the event of any interruption, the recovery of Vendor’s contractual obligations to Customer under all agreements, including statements of work and engagement letters. Resources are defined as including, but not limited to, all people and facility resources and required systems, hardware, software and data. The recovery of systems, hardware, software and data must be within a Recovery Time Objective (RTO) sufficient to sustain contracted levels of service. Included as part of the required data, Vendor must provide Recovery Point Objective (RPO).
- Updates - Vendor shall update and re-publish the Plan whenever there is a significant or material change in Vendor’s systems, recovery strategies, recovery resources, actions described in the Plan or other data affecting Vendor’s contractual obligations to Customer under all agreements, including statements of work and engagement letters, but no less frequently than at least once in every 12-month period.
- Exercises - Vendor shall exercise the Plan no less than annually and provide review to Customer of the exercise results.
X. Incident Reporting
- In the event of a confirmed or suspected breach of Customer Confidential Data, Vendor shall notify Customer Information Security as soon as possible and within 72 hours of discovery. This notification is in addition to, but can be coordinated with, any other contractual reporting requirements.
STANDARD CONTRACTUAL CLAUSES
I. Incorporation of SCCs
With respect to transfers of Personal Data across national borders to other countries that have not been recognized under the applicable Data Protection Legislation as an Adequate Jurisdiction, the Parties hereby agree to be bound by, where applicable:
- For transfers of Personal Data from the EEA to a Non-Adequate Jurisdiction and for transfers of Personal Data from Brazil, Israel, Japan, Mexico, the Philippines, Singapore, and South Korea (“Applicable Data Transfer Jurisdiction”) to a Non-Adequate Jurisdiction, the Controller to Processor SCCs are deemed incorporated into this DPA in their entirety and without alteration, except as noted below. To the extent that the data importer is subject to the extra-territorial scope of Article 3(2) of the GDPR with respect to the specific processing, the obligations imposed to the data importer by the GDPR shall prevail over its obligations under the SCCs, where the latter are less strict. For reference, the official SCCs are available at the following link:https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en or any subsequent link published by the European Union Publications Office;
- For transfers of Personal Data from the UK to a non-Adequate Jurisdiction, the UK Controller-to-Processor SCCs are deemed incorporated into this DPA in their entirety and without alteration, except as noted below. For reference, the UK Controller-to-Processor Standard Contractual Clauses are available at the following link: https://ico.org.uk/media/for-organisations/documents/2620100/uk-sccs-c-p-202107.docx or any subsequent link published by the UK Information Commissioner’s Office.
The parties’ signature to this DPA shall be considered as a signature for the Standard Contractual Clauses.
II. Adjustments to the SCCs for Personal Data Transfers from Switzerland
1. To the extent that the data exporter transfers Personal Data related only to Swiss data subjects to a Non-Adequate Jurisdiction, the Swiss Federal Act on Data Protection of 19 June 1992 (“FADP”) applies to the transfers of the Personal Data and, therefore, the following adjustments to the SCCs shall apply to ensure an adequate level of protection for the transfers of Personal Data outside Switzerland in accordance with the FADP:
i. Annex I.C under Clause 13 of the SCCs:
The competent supervisory authority is the Federal Data Protection and Information Commissioner (“FDPIC”);
ii. Clause 17 of the SCCs:
The law governing the Standard Contractual Clauses is Swiss law;
iii. The use of the term ‘EU Member State’ in the SCCs must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the SCCs;
iv. References to the GDPR in the SCCs are to be understood as references to the FADP; and
v. The SCCs also protect the data of legal entities until the entry into force of the revised FADP (scheduled to come into force in the second half of 2022).
2. To the extent that the data exporter transfers Personal Data related to Swiss and EEA data subjects or if the transfers of Personal Data are otherwise subject to the extraterritoriality provisions of the EU GDPR (Article 3), the FADP and the GDPR apply in parallel to the transfers of Personal Data. In this case, the Parties agree that the GDPR standard will apply to the transfers of Personal Data because the GDPR provides adequate protection and data subjects are consequently not disadvantaged as a result of the transfers. The following adjustments to the SCCs shall apply:
- Annex I.C under Clause 13 of the SCCs: The competent supervisory authorities are the FDPIC, insofar as the transfers of Personal Data are governed by the FADP, and the EEA competent supervisory authority as indicated in Annex I.C of the SCCs, insofar as the transfers of Personal Data are governed by the GDPR;
- the use of the term ‘EU Member State’ in the SCCs must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the SCCs; and
- the SCCs also protect the data of legal entities until the entry into force of the revised FADP (scheduled to come into force in the second half of 2022).
III. UK SCCs
When a data exporter processes Personal Data from the UK to a non-Adequate Jurisdiction and the data exporter acts as a Controller and the data importer processes Personal Data in its capacity as a Processor, the UK Controller-to-Processor SCCs apply. With respect to the UK Controller-to-Processor SCCs, the Parties hereby further agree that the details of the processing and the description of the technical and organizational security measures are set forth in Schedule 1 of this DPA (Details of Processing) and Schedule B (Technical and Organizational measures) of this DPA.