Data Processing Addendum
- DEFINITIONS.
The following terms shall have the following meanings. Capitalized terms not defined herein shall have the same meaning set forth in the Main Agreement.- “Affiliate”means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with a Party.
- “Business Contact Data” means (i) contact information of Customer’s representatives for invoicing, billing, and other business inquiries; (ii) information on Customer’s usage of Services; and (iii) other information that Sapience collects and needs to communicate with Controller.
- “Controller” means the party or parties to this DPA that determine(s) the purposes and means of the Processing of Personal Data for purposes of the Agreement.
- “Controller Personal Data” means any Personal Data Processed by a Party under the Agreement in its capacity as a Controller.
- “Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable, the laws and regulations of the United States, the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”).
- “Data Subject” means an identified or identifiable natural person whose Personal Data is, or will be, Processed.
- “Personal Data” shall mean “personal data,” “personal information,” or equivalents as defined in applicable Data Protection Laws. In the absence of applicable Data Protection Laws, “Personal Data” shall mean any information relating, directly or indirectly, to an identified or identifiable natural person.
- “Process,” “Processes,” “Processing,” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collecting, recording, accessing, releasing, disclosing, making available, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise, aligning or combining, restricting, erasing or destroying.
- “Processor” means a Party to DPA that Processes Personal Data on behalf of the Controller or Controller’s Affiliates. The term Processor as used herein is equivalent to the term “Processor” as used in the GDPR, and the term “Service Provider” as used in the CCPA.
- “Services” means the services provided or received by the Parties pursuant to the Agreement.
- “Standard Contractual Clauses” means the agreement executed by and between Controller and Processor pursuant to the European Commission’s decision on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection found at (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en.
- “Subprocessor” means another Processor engaged by Processor with specific instructions to carry out Personal Data Processing Activities listed at https://d824jnzl62zcj.cloudfront.net/subprocessors/.
- “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
- GENERAL TERMS.
- Roles of Parties. The Parties acknowledge and agree that for purposes of this DPA, Sapience is a Processor of the Personal Data Processed in connection with the Agreement, and that Customer is a Controller:
- Personal Data Processing. In connection with its performance of the Services specified in the Main Agreement, Processor will Process the Personal Data relating to the Controller Data Subjects,. The Main Agreement may include restrictions regarding the types of Personal Data that may be provided by Customer to Sapience and such restrictions are hereby incorporated into this DPA.
- Limitations and Prohibitions.
- Processor shall only Process Controller Personal Data during the term of the Main Agreement and for the purpose of performing the services specified in the Main Agreement. Customer is the owner of any and all Personal Data.
- Processor shall (1) limit access to Controller Personal Data to only those employees or agents that require access to perform their roles and responsibilities in connection with the Services, and (2) under no circumstances rent, sell or disclose Controller Personal Data, except as otherwise allowed under the Agreement.
- Processor will not combine Controller Personal Data with data from any other source, company, organization or entity, unless necessary to provide the Services. Processor will not copy or reproduce Controller Personal Data for its own purposes or those of any subprocessor or other third party.
- DATA SECURITY.
- Processor will maintain appropriate physical, technical and organizational informational security measures set out in Annex 3 to protect the integrity, security and confidentiality of all Controller Personal Data against any anticipated threats or hazards, and/or unauthorized access to or use of such data. The information security measures in Annex 3, may be supplemented or modified in the applicable transaction document, to protect Controller Personal Data and Business Contact Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access.
- Controller acknowledges that Processor may change the security measures through the adoption of new or enhanced security technologies and authorizes Processor to make such changes provided that they do not diminish the level of protection. Processor shall make information about the most up to date security measures applicable to the Services available to Controller upon request.
- Data Retention and Deletion.
- Processor shall retain Controller Personal Data for only so long as necessary to perform its obligations under the Agreement, unless otherwise required under applicable laws.
- Upon termination or expiration of the Agreement or earlier as requested by Controller, Processor shall destroy or return to Controller (at Controller’s election) all Controller Personal Data in its possession, custody and control, except for such Personal Data as must be retained under applicable law (which Processor shall destroy once it is no longer required under applicable law to retain). At Controller’s request, Processor shall provide Controller with a written log evidencing the destruction and any retention of Controller Personal Data.
- Data Security Incidents.
- Notice to Controller. Processor shall notify Controller within forty-eight (48) hours of discovery of unauthorized access to, acquisition or disclosure of Controller Personal Data, or other identified breach of security or confidentiality with respect to Controller Personal Data in Processor’s or its representatives’ control or possession (a “Data Security Incident”).
- Third Party Notices. If a Data Security Incident requires notice to any regulator, Data Subject or other third party: (1) Controller shall have sole control over the content, timing and method of distribution of any needed notice, unless otherwise required by applicable law; (2) Processor may notify the affected parties only upon Controller’s prior written approval and instructions, unless otherwise required by applicable law; and (3) Processor shall reimburse Controller for all reasonable expenses incurred by Controller in connection with any notice with respect to any breach of security or confidentiality for which Processor is responsible.
- Notice requirements. The notice to Controller required under Paragraph 3.4.1 shall include:
- a description of the Data Security Incident, including the date and time the Data Security Incident was discovered;
- an overview of the affected Personal Data;
- the number of Data Subjects affected;
- the expected consequences of the Data Security Incident; and
- a description of the measures taken by Processor to mitigate such consequences.
- Indemnification. In addition to the terms set forth in the Main Agreement, Processor agrees to indemnify, defend and hold harmless Controller, its directors, officers, employees and agents from and against any and all losses, damages, fees and expenses arising from any claims due to Processor’s loss, alteration, or misuse of Controller Personal Data, or unauthorized access to or destruction or disclosure of Controller Personal Data when under Processor’s sole control.
- Limitation of Liability. Any loss suffered by a Party resulting from, arising out of or relating to a breach of this DPA by the other Party that is not due to claims from third parties shall be governed by the provisions regarding limitation of liability in the Main Agreement.
- PROCESSOR TERMS.
- Compliance with Controller instructions and applicable laws. In connection with its Processing of Controller Personal Data, Processor shall not be required to comply with or observe Controller’s instructions if, in its reasonable discretion, such instructions would violate any Data Protections Laws and regulations, and Sapience shall promptly notify Controller of such. This DPA, the Main Agreement, and Customer’s use of the Services, features and functionality, are Customer’s complete set of instructions to Sapience in relation to the processing of Personal Data.
- Business Contact Data. Processor shall also comply with all applicable laws and Processor’s privacy policy with respect to the Processing of Business Contact Data and use Business Contact Data only for legitimate business purposes, including, without limitation, for invoicing, collections, service usage monitoring and optimization, service improvements, maintenance, support, communications relating to contract renewals (directly or through a subprocessor acting on Processor’s behalf or a Processor approved reseller for contract renewal purposes) and information about new and additional services.
- Internal Audits. Upon written request, Processor shall provide, if available, any data security compliance reports or audit reports that assess the effectiveness of Processor’s information security program, system(s), internal controls, and procedures relating to the Processing of Personal Data.
- Controller Audits. Certain information about Processor’s security standards and practices are sensitive confidential information which will not be disclosed by Processor to Controller. Upon request, Processor agrees to respond, no more than once per year, to a reasonable information security questionnaire concerning security practices specific to the Services provided hereunder. Upon reasonable advance written notice in no case fewer than five (5) business days and Processor acceptance, Controller may, not more than once per year, during normal business hours and at its own expense, inspect Processor’s facilities, networks and procedures directly related to the processing of Controller Personal Data in order to determine compliance with this DPA. Processor shall reasonably cooperate with such audit by providing access to knowledgeable personnel, physical premises as applicable, documentation, infrastructure, and any application software that Processes Controller Personal Data. Controller shall be responsible for its costs and expenses of such audit. Processor will promptly address and correct any deficiencies identified in any such audit.
- Requests or Demands from Governmental or Regulatory Bodies. Processor shall inform Controller as soon as possible if it receives a request or demand from a governmental or regulatory body with authority over Processor or Controller relating to Processor’s Processing of Controller Personal Data and shall fully cooperate with Controller in connection with such investigation or audit.
- Data Subject Rights. If Processor receives a request from a Data Subject relating to their Controller Personal Data, Processor shall immediately forward the request to Controller and provide all reasonable cooperation necessary to fulfill the Data Subject’s request in compliance with applicable laws.
- Cross Border Transfers. To the extent that Processor Processes the Personal Data of Data Subjects in, or in relation to services provided in the European Economic Area (EEA) in connection with its performance of the Services and such Personal Data is transferred outside of the EEA, the Parties hereby incorporate, and Processor agrees to comply with the Standard Contractual Clauses found in Annex 4 that are approved by the European Commission for data transfers to processors that are current at the time of the data transfer.
- Subprocessors.
- Prior written consent. By executing this DPA, Controller has given its general written consent and authorization for Sapience to engage Subprocessors in connection with the Services. Controller may request a copy of such agreement between Processor and any Subprocessor and may withhold consent to the use of such Subprocessor if Processor does not provide such agreement or such agreement does not contain sufficient protection of Controller Personal Data. A current list of Subprocessors is found at https://d824jnzl62zcj.cloudfront.net/subprocessors/, such link may be updated by Sapience from time to time in accordance with Section 4.8.3 of this DPA.
- Onward Transfer of Personal Data. Any transfer by Processor of Personal Data to a Data Sub-processor will be governed by a written contract providing that the Subprocessor will process Personal Data in accordance with Sapience’s instructions as required by Data Protection Laws.
- Appointment of new Data Sub-processors. Sapience may not transfer Personal Data to any other Subprocessor without providing prior written notice to Controller, provided that Controller will have ten (10) business day to reasonably object that such change causes Controller to be in violation of Data Protection Laws. In the even that Controller has not provided an objection to such changes within ten (10 ) business days, Controller will be deemed to have waived its right to object and to have consented to the use of the new or alternative Subprocessor. In the event that Controller reasonably objects to such change, Sapience shall, in its discretion, use commercially reasonable efforts to (1) offer an alternative to provide the Service to Controller per the Main Agreement; (2) take the corrective steps requested by Controller in its objection and proceed to use the new Subprocessor; or (3) cancel its plans to use the Subprocessor. If Sapience is unable or unwilling to achieve either (1)-(3) in its sole discretion and the objection has not been resolved to the mutual satisfaction of the parties within thirty (30) days from the receipt by Sapience of the objection, Controller may, as its sole and exclusive remedy available under this paragraph, terminate its applicable services under the Main Agreement with respect only to those aspects of the Service which cannot be provided by Sapience without the use of the new Subprocessor. In such event, Sapience shall refund Controller any unused, prepaid fees for the applicable Service covering the remainder of the subscription term after the date of termination.
- Liability. Processor is responsible for ensuring the compliance of Subprocessors with applicable Data Protection Law in connection with the Processing of Controller Personal Data.
- CONTROLLER TERMS.
- Role of Controller:
- is an independent controller of Controller Personal Data under the Data Protection Law.
- will individually determine the purposes and means of its Processing of Controller Personal Data.
- will individually inform Data Subjects and allow Data Subjects to exercise their rights under applicable laws.
- will comply with the obligations applicable to it under the Data Protection Law with respect to the Processing of Controller Personal Data.
- Restrictions. Section 5.1 will not affect any restrictions on either Party’s rights to use or otherwise Process Controller Personal Data under the Agreement.
- Role of Controller:
- MISCELLANEOUS.
- Termination and Survival. This Agreement and all provisions herein shall survive so long as, and to the extent that, Processor Processes or retains Controller Personal Data.
- Counterparts. This Agreement may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this Agreement by executing a counterpart.
- Ineffective clause. If individual provisions of this Agreement are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.
- Conflict. In case of contradictions between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
- Applicable law and jurisdiction. The applicable law and jurisdiction as set forth in the Agreement apply to this Agreement.