Data Processing Agreement
This Data Processing Agreement (“DPA“) forms an integral part of the agreement signed between the G2 entity which is a party to the principal agreement (“Company” and “Agreement” respectively) and its counter party (“Partner”, each “Party”, together “Parties”).
If Partner Processes Personal Data, or if Partner has access to Personal Data in the course of its performance under the Agreement, Partner shall comply with the terms and conditions of this DPA as a “processor”, including Annex I-III, which are attached herewith and incorporated herein by reference (“Attachments”).
1. Definitions and Interpretation
1.1 In this DPA:
1.1.1 “Affiliate” means any person or entity directly or indirectly controlling, controlled by, or under common control with a Party. For the purpose of this definition, “control” (including, with correlative meanings, the terms “controlling”, “controlled by” and “under common control with”) means the power to manage or direct the affairs of the person or entity in question, whether by ownership of voting securities, by contract or otherwise.
1.1.2 “Approved Jurisdiction” means a member state of the European Economic Area (“EEA“), the UK, or other jurisdiction as may be approved as having adequate legal protections for data by either the European Commission currently found here or the UK Information Commissioner’s Office (ICO), as applicable.
1.1.3 “Data Protection Laws” means, as applicable, any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or federal or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“), and any amendments or replacements to the foregoing.
1.1.4 “Security Incident” shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.1.5 “Special Categories of Data” means personal data as defined under Article 9 of the GDPR.
1.1.6 “Standard Contractual Clauses” mean the Commission Implementing Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as available here. Where the UK GDPR is applicable, the term Standard Contractual Clauses shall also include the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which was entered into force on 21 March, 2022 (“UK Addendum“).
1.1.7 The terms “Controller”, “Data Subject“, “Personal Data“, “Processing” and “Processor” as used in this have the meanings given in the GDPR.
1.1.8 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
2. Application of this DPA
2.1 This DPA will only apply to the extent all of the following conditions are met:
2.1.1 Partner processes Personal Data that is made available by the Company in connection with the Agreement;
2.1.2 The Data Protection Laws apply to the processing of such Personal Data.
3. Roles and Restrictions on Processing
3.1 If Partner has access to or otherwise Processes Personal Data pursuant to the Agreement, then Partner shall:
3.1.1 only Process the Personal Data in accordance with Company’s documented instructions and on its behalf, and in accordance with the Agreement and this DPA and related Attachments, unless required otherwise under applicable laws. In such case, Partner shall, to the extent legally permitted, promptly notify Company of such legal obligation;
3.1.2 take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process, Personal Data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this DPA and any Data Protection Laws (or Partner’s own written binding policies are at least as restrictive as this DPA);
3.1.3 promptly, and in any case within the period of time required in Data Protection Laws, assist Company as needed to cooperate with and respond to requests from supervisory authorities, Data Subjects, customers, or others to provide information (including details of the services provided by Partner) related to Partner’s Processing of Personal Data;
3.1.4 notify the Company without undue delay, and no later than twenty-four (24) hours, after becoming aware of a Security Incident;
3.1.5 provide full, reasonable cooperation and assistance to Company in:
3.1.5.1 ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
3.1.5.2 ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of Personal Data, and with its prior consultation with the supervisory authority obligation (as applicable).
3.1.6 upon receipt of: (a) requests from Data Subjects to exercise their rights under the Data Protection Laws in connection with Personal Data Processed under this DPA; and/or (b) any requests or inquiries from supervisory authorities, customers, or others, to provide information related to Partner’s Processing of Personal Data under this DPA, shall: (i) direct such requests to Company without undue delay, and (ii) not respond or act upon such requests without prior written approval from Company; and (iii) promptly, and in any case within the period of time required in Data Protection Laws, provide full, reasonable cooperation and assistance to Company in responding to and exercising such requests, except that the foregoing shall not apply only and insofar as it conflicts with Data Protection Laws.
3.1.7 only process or use Personal Data on its systems or facilities to the extent necessary to perform its obligations under the Agreement or this DPA;
3.1.8 as required under Data Protection Laws, maintain accurate written records of any and all the Processing activities of any Personal Data carried out under the Agreement (including the categories of Processing carried out and, where applicable, the transfers of Personal Data), and shall make such records available to the applicable supervisory authority on request;
3.1.9 make all reasonable efforts to ensure that Personal Data are accurate and up to date at all times while in its custody or under its control, to the extent Partner has the ability to do so;
3.1.10 not lease, sell or otherwise distribute Personal Data;
3.1.11 promptly notify Company of any investigation, litigation, arbitrated matter or other dispute relating to the Recipient or the processing of Personal Data under the Agreement;
3.1.12 promptly notify Company in writing and provide Company an opportunity to intervene in any judicial or administrative process if Recipient is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Personal Data to any person other than Company;
3.1.13 upon termination of the Agreement, or upon Company’s written request at any time during the term of the Agreement, Partner shall cease to Process any Personal Data received from Company, and within a reasonable period will at the request of Company: (1) return the Personal Data; or (2) securely and completely destroy or erase all Personal Data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Company’s request, Partner shall give Company a certificate confirming that it has fully complied with this clause.
4. Sub-Processing
4.1 Partner shall not subcontract its obligations under this DPA to another person or entity (“Sub-Processors“), in whole or in part, without Company’s prior written approval or general written authorization, and shall inform the Company of any intended changes concerning the addition/replacement of other Sub-Processors, no later than thirty (30) days prior to such intended change. Company shall have the right to object to the appointment of any new Sub-Processor within 30 days of having been notified of the Sub-Processor’s appointment by Partner, in which event the Parties shall negotiate in good faith this objection. In the event the Parties, acting reasonably and in good faith, have not reached an amicable solution, then Company may terminate the Agreement or any portion of it that requires the employment of said Sub-Processor. A list of current Sub-Processors shall be provided together with the signing of this DPA.
4.2 Partner will execute a written agreement with such approved Contractor containing equivalent terms to this DPA and the applicable Attachments (provided that Partner shall not be entitled to permit the Contractor to further sub-contract or otherwise delegate all or any part of the Contractor’s processing without Company’s prior written consent at Company’s sole discretion) and which expressly provides Company with third party beneficiary rights to enforce such terms and/or require Partner to procure that the Contractor enters into a Data Protection agreement with Company directly.
4.3 Company may require Partner to provide Company with full details of the proposed Contractor’s involvement including but not limited to the identity of the Contractor, its data security record, the location of its processing facilities and a description of the access to Personal Data proposed.
4.4 Partner shall be liable for the acts or omissions of Contractors to the same extent it is liable for its own actions or omissions under this DPA.
5. Transfer of Personal Data
5.1 To the extent Partner processes Personal Data outside the EEA, UK or an Approved Jurisdiction, the parties shall enter into the Standard Contractual Clauses, in accordance with the amendments outlined in sections 5.4 and 5.5 below.
5.2 To the extent Partner’s Contractors process Personal Data outside the EEA, UK or an Approved Jurisdiction, such transfer shall be based on one of the appropriate safeguards specified in the GDPR or UK GDPR (as applicable).
5.3 If Partner and/or Partner’s Affiliates and/or their Contractors intend to rely on Standard Contractual Clauses (where subcontracting or performance is allowed by the Agreement), then if the Standard Contractual Clauses are superseded by new or modified Standard Contractual Clauses, the new or modified Standard Contractual Clauses shall be deemed to be incorporated into this DPA, and Partner will promptly begin complying with such Standard Contractual Clauses.
5.4 To the extent that the Parties will rely on the Standard Contractual Clauses, the following amendments shall apply:
i. The Parties shall be deemed to enter into the Controller to Processor Standard Contractual Clauses (Module 2)
ii. Clause 7 of the Standard Contractual Clauses shall not be applicable.
iii. In Clause 9, option 2 shall apply. The Data Importer shall inform the Data Exporter of any intended changes to the list of Sub-Processors (Annex III) at least thirty (30) days prior to the engagement of the Sub-Processor. Annex III shall be updated accordingly.
iv. In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
v. In Clause 17, option 1 shall apply. The Parties agree that the clauses shall be governed by the law of England and Wales.
vi. In Clause 18(b) the Parties choose the courts of England and Wales as their choice of forum and jurisdiction.
vii. The Parties shall complete Annex I-III below, which are incorporated in the Standard Contractual Clauses by reference.
5.5 Where the transfer of Personal Data is subject to the UK GDPR and the transfer relies on the UK Addendum, then the following amendments shall apply to the UK Addendum:
i. In Table 1 the “Exporter” is Company the “Importer” is Partner; and the Parties details and signatures are included in this DPA.
ii. In Table 2, the first option is selected and the “Approved EU SCCs” are those Standard Contractual Clauses incorporated into this DPA.
iii. In Table 3: “Annex 1A and 1B” shall be replaced by Annex I of this DPA; (2) “Annex II” shall be replaced by Annex II of this DPA; and (3) “Annex III” shall be replaced by Annex III of this DPA.
iv. In Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum in accordance with section 19 of the UK Addendum.
6. Security Standards
6.1 Partner shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect Personal Data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed; all other unlawful forms of Processing; including (as appropriate): (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
6.2 To the extent that Partner Processes Special Categories of Data, the security measures referred to in this DPA shall also include, at a minimum (i) routine risk assessments of Partner’s information security program, (ii) regular testing and monitoring to measure and confirm the effectiveness of the information security program’s key controls, systems, and procedures, and (iii) encryption of Special Categories of Data while “at rest” and during transmission (whether sent by e-mail, fax, or otherwise), and storage (including when stored on mobile devices, such as a portable computer, flash drive, PDA, or cellular telephone).
7. General
7.1 If this DPA does not specifically address a particular data security or privacy standard or obligation, Partner will use appropriate, generally accepted practices to protect the confidentiality, security, privacy, integrity, availability, and accuracy of Personal Data.
7.2 If Partner is unable to provide the level of protection as required herein, Partner shall immediately notify Company and cease processing. Any non-compliance with the requirements herein shall be deemed a material breach of the Agreement and Company shall have the right to terminate the Agreement immediately without penalty.
7.3 Company shall have the right to: (a) require promptly from Partner all information necessary to, and (b) conduct its own audit and/or inspections of Partner (including its facilities or equipment involved in the Processing of Personal Data) in order to: demonstrate compliance with the DPA and the applicable Attachments and/or Data Protection Laws. The Partner shall allow and contribute to such audit and/or inspection. Such audit and/or inspection shall be conducted with reasonable advanced notice to Partner and shall take place during normal business hours to reasonably limit any disruption to Partner’s business.
7.4 Partner will indemnify Company other and hold Company harmless from any cost, charge, damages, expense or loss incurred as a result of Partner’s breach of any of the provisions of this DPA. Indemnification hereunder is contingent upon (a) Company promptly notifying Partner of a claim, (b) Company having sole control of the defense and settlement of any such claim, and (c) Company providing reasonable cooperation and assistance to Partner in defense of such claim.
8. Priority
If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
9. Changes to this DPA
9.1 Company may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the parties as independent controllers of Personal Data under the Data Protection Laws; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Partner, as reasonably determined by Company.
9.2 If Company intends to change this DPA under this Section, and such change will have a material adverse impact on Partner, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Partner at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.
9.3 If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective processing activities.
ANNEX I
A. IDENTIFICATION OF PARTIESDATA EXPORTER(S):
“Data Exporter“: Company
“Data Importer“: Partner
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
As described in the Agreement
Categories of personal data transferred
As described in the Agreement
Sensitive data transferred (if applicable)
N/A
The frequency of the transfer
As described in the Agreement.
Nature of the processing
As described in the Agreement.
Purpose(s) of the data transfer and further processing
As described in the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Duration of the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
The competent Supervisory authority will be in accordance with the provisions of Clause 13.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Security Management
Partner maintains a written information security management system (ISMS), in accordance with this Appendix, that includes policies, processes, enforcement and controls governing all storage/processing/transmitting of Personal Data, designed to (a) secure Personal Data against accidental or unlawful loss, access or disclosure; (b) identify reasonable foreseeable and internal risks to security and authorized access to Partner Network, and (c) minimize security risks, including through risk assessment and regular testing. The information security program will include the following measures:
Partner actively follows information security trends and developments as well as legal developments with regards to the services provided and especially with regards to Personal Data and uses such insights to maintain its ISMS, as appropriate.
To the extent Partner process cardholder or payment data (such as payment or credit cards), Partner will maintain its ISMS in accordance with the PCI DSS standard, augmented to cover Personal Data, or such other alternative standards that are substantially equivalent to PCI DSS for the establishment, implementation, and control of its ISMS. Additionally, Partner will be assessed against PCI DSS annually by an on-site assessment carried out by an independent QSA (Qualified Security Assessor) and upon Company’s request, not to exceed once annually, Partner will provide customer with PCI DSS Attestation of Compliance.
Maintain an Information Security Policy
Partner’s ISMS is based on its security policies that are regularly reviewed (at least yearly) and maintained and disseminated to all relevant parties, including all personnel. Security policies and derived procedures clearly define information security responsibilities including responsibilities for:
• Maintaining security policies and procedures,
• Secure development, operation and maintenance of software and systems,
• Security alert handling,
• Security incident response and escalation procedures,
• User account administration,
• Monitoring and control of all systems as well as access to Personal Data.
Personnel is screened prior to hire and trained (and tested) through a formal security awareness program upon hire and annually. For service providers with whom Personal Data is shared or that could affect the security of Personal Data a process has been set up that includes initial due diligence prior to engagement and regular (typically yearly) monitoring.
Personal Data has implemented a risk-assessment process that is based on ISO 27005.
Secure Networks and Systems
Partner has installed and maintains a firewall configuration to protect Personal Data that controls all traffic allowed between Partner’s (internal) network and untrusted (external) networks, as well as traffic into and out of more sensitive areas within its internal network. This includes current documentation, change control and regular reviews.
Partner does not use vendor-supplied defaults for system passwords and other security parameters on any systems and has developed configuration standards for all system components consistent with industry-accepted system hardening standards.
Protection of Personal Data
Partner keeps Personal Data storage to a minimum and implements data retention and disposal policies to limit data storage to that which is necessary, in accordance with the needs of its customers.
Partner uses strong encryption and hashing for Personal Data anywhere it is stored. Partner has documented and implemented all necessary procedures to protect (cryptographic) keys used to secure stored Personal Data against disclosure and misuse. All transmission of Personal Data across open, public networks is encrypted using strong cryptography and security protocols.
Vulnerability Management Program
Partner protects all systems against malware and regularly updates anti-virus software or programs to protect against malware – including viruses, worms, and Trojans. Anti-virus software is used on all systems commonly affected by malware to protect such systems from current and evolving malicious software threats.
Partner develops and maintains secure systems and applications by:
• Having established and evolving a process to identify and fix (e.g. through patching) security vulnerabilities, that ensures that all systems components and software are protected from known vulnerabilities,
• Developing internal and external software applications, including web-applications, securely using a secure software development process based on best practices, e.g. such as code reviews and OWASP secure coding practices, that incorporates information security throughout the software-development lifecycle,
• Implementing a stringent change management process and procedures for all changes to system components that include strict separation of development and test environments from production environments and prevents the use of production data for testing or development.
Implementation of Strong Access Control Measures
“Partner Network” means the Partner’s data center facilities, servers, networking equipment, and host software systems (e.g. virtual firewalls) as employed by the Partner to process or store Personal Data.
The Partner Network will be accessible to employees, contractors and any other person as necessary to provide the services to the Company. Partner will maintain access controls and policies to manage what access is allowed to the Partner Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Partner will maintain corrective action and incident response plans to respond to potential security threats.
Partner strictly restricts access to Personal Data by business need to know to ensure that critical data can only be accessed by authorized personnel. This is achieved by:
• Limiting access to system components and Personal Data to only those individuals whose job requires such access and
• Establishing and maintaining an access control system for systems components that restricts access based on a user’s need to know, with a default “deny-all” setting.
Partner identifies and authenticates access to all systems components by assigning a unique identification to each person with access. This ensures that each individual is uniquely accountable for their actions and any actions taken on critical data and systems can be traced to known and authorized users and processes. Necessary processes to ensure proper user identification management, including control of addition/deletion/modification/revocation/disabling of IDs and/or credentials as well as lock out of users after repeated failed access attempts and timely termination of idling session, have been implemented.
User authentication utilizes at least passwords that have to meet complexity rules, which need to be changed on a regular basis and which are cryptographically secured during transmission and storage on all system components. All individual non-console and administrative access and all remote access use multi-factor authentication.
Authentication policies and procedures are communicated to all users and group, shared or generic IDs/passwords are strictly prohibited.
Restriction of Physical Access to Personal Data
Any physical access to data or systems that house Personal Data are appropriately restricted using appropriate entry controls and procedures to distinguish between onsite personnel and visitors. Access to sensitive areas is controlled and includes processes for authorization based on job function and access revocation for personnel and visitors.
Media and backups are secured and (internal and external) distribution is strictly controlled. Media containing Personal Data no longer needed for business or legal reasons is rendered unrecoverable or physically destroyed.
Regular Monitoring and Testing of Networks
All access to network resources and Personal Data is tracked and monitored using centralized logging mechanisms that allow thorough tracking, alerting, and analysis on a regular basis (at least daily) as well as when something does go wrong. All systems are provided with correct and consistent time and audit trails are secured and protected, including file-integrity monitoring to prevent change of existing log data and/or generate alerts in case. Audit trails for critical systems are kept for a year.
Security of systems and processes is regularly tested, at least yearly. This is to ensure that security controls for system components, processes and custom software continue to reflect a changing environment. Security testing includes:
• Processes to test rogue wireless access points,
• Internal and external network vulnerability tests that are carried out at least quarterly. An external, qualified party carries out the external network vulnerability tests.
• External and internal penetration tests using Partner’s penetration test methodology that is based on industry-accepted penetration testing approaches that cover the all relevant systems and include application-layer as well as network-layer tests
All test results are kept on record and any findings are remediated in a timely manner.
Partner does not allow penetration tests carried out by or on behalf of its customers.
In daily operations IDS (intrusion detection system) is used to detect and alert on intrusions into the network and file-integrity monitoring has been deployed to alert personnel to unauthorized modification of critical systems.
Incident Management
Partner has implemented and maintains an incident response plan and is prepared to respond immediately to a system breach. Incident management includes:
• Definition of roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of customers,
• Specific incident response procedures,
• Analysis of legal requirements for reporting compromises,
• Coverage of all critical system components,
• Regular review and testing of the plan,
• Incident management personnel that is available 24/7,
• Training of staff,
• Inclusion of alerts from all security monitoring systems,
• Modification and evolution of the plan according to lessons learned and to incorporate industry developments.
Partner has also implemented a business continuity process (BCP) and a disaster recovery process (DRP) that is maintained and regularly tested. Data backup processes have been implemented and are tested regularly.
Physical Security
Physical Access Controls. Physical components of the Partner Network are housed in nondescript facilities (“Facilities”). Physical barrier controls are used to prevent unauthorized entrance to Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.
Limited Employee and Contractor Access
Partner provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Partner of its affiliates.
Physical Security Protections
All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Partner also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, etc.) with door contacts, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
Continued Evaluation
Partner will conduct periodic reviews of the Security of its Partner Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Partner will continually evaluate the security of its Partner Network to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
ANNEX III – LIST OF SUB-PROCESSORS
A list of current Sub-Processors shall be provided together with the signing of this DPA