These Conformio Data Processing & Security Terms (“Terms”) supplement the General Terms and Conditions of Use.
All capitalized terms used in these Terms shall have the meanings given to them below:
1.1 Applicable Data Protection Law: means all applicable international, federal, national, and state privacy and data protection laws that apply to the processing of Personal Data that is the subject matter of these Terms (including, where applicable, European Data Protection Law).
1.2 Controller: means the entity that determines the purposes and means of the processing of Personal Data, which for the purposes of these Terms means the Client.
1.3 European Data Protection Law: means: (i) prior to May 25, 2018, the EU Data Protection Directive 95/46/EC, and any applicable national implementation of it; and (ii) on and after May 25, 2018, the EU General Data Protection Regulation 2016/679 (“GDPR”) and any applicable national laws made under the GDPR.
1.4 Personal Data (“Data”): means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.5 Processor: means an entity that processes Personal Data on behalf of the Controller, which for the purposes of these Terms means Advisera.
2. DATA PROTECTION
2.1 Relationship of the Parties: As between the Parties, the Client is the Controller and appoints Advisera as a Processor to process the Personal Data described in section 1.4.
2.2 Purpose limitation: The Processor shall process the Data as a Processor only for the purposes described in Annex 1 and strictly in accordance with the documented instructions of the Client (the “Permitted Purpose”). In no event shall the Processor process the Data for its own purposes or those of any third party.
2.3 International transfers of Data: The Processor shall at all times provide an adequate level of protection for the Data, wherever processed, in accordance with the requirements of Applicable Data Protection Law including, but not limited to, Standard Contractual Clauses that are required by the European Union.
2.4 Confidentiality of processing: The Processor shall keep strictly confidential all Personal Data that it processes on behalf of the Client. The Processor shall ensure that any person whom it authorizes to process the Data (including the Processor’s staff, agents, and subcontractors) (each an “Authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. The Processor shall ensure that only Authorized Persons will have access to, and process, the Data, and that such access and processing shall be limited to the extent strictly necessary to achieve the Permitted Purpose.
2.5 Security: The Processor shall implement appropriate technical and organizational measures to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, unauthorized alteration, unauthorized disclosure of, or unauthorized access to the Data. At a minimum, such measures shall include the security measures identified in Annex 2 to these Terms.
2.6 Subcontracting: The Controller consents to the Processor’s engagement of third-party sub-Processors, including Certified Partners of the Processor, to process the Data, provided that the Processor provides to the Client an up-to-date list of its then-current sub-Processors upon request.
The Processor shall impose the data protection terms on any sub-Processor it appoints that, at a minimum, meets the requirements provided for by these Terms.
2.7 Cooperation and individuals’ rights: To the extent permitted by Applicable Law, the Processor shall provide reasonable and timely assistance to the Client to enable the Client to respond to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, inquiry, or complaint received from an individual, regulator, court, or other third party in connection with the processing of the Data. In the event that any such communication is made directly to the Processor, the Processor shall instruct such individual to contact the Client directly.
2.8 Data Protection Impact Assessment: If the Processor believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of individuals, it shall promptly inform the Client of the same. The Processor shall provide the Client with all such reasonable and timely assistance as the Client may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
2.9 Security incidents: Upon becoming aware of a Security Incident, the Processor shall inform the Client without undue delay (and, in any event, within 72 hours) and shall provide such timely information and cooperation as the Client may require in order for the Client to fulfill its data breach reporting obligations under (and in accordance with the timeliness required by) Applicable Data Protection Law and relevant contractual obligations owed by the Client to its subscribers. The Processor shall cooperate with the Client in taking all appropriate measures and actions as are necessary to remedy or mitigate the effects of the Security Incident, shall manage and modify its systems to remedy or mitigate such Security Incident and the likelihood of future similar Security Incidents, and shall keep the Client informed of all developments in connection with the Security Incident. The Processor shall not notify any third parties of a Security Incident affecting the Data unless and to the extent that: (a) the Client has agreed to such notification, and/or (b) notification is required to be made by the Processor under Applicable Data Protection Laws. For the avoidance of doubt, the Processor shall have the right to comply with the terms of its contracts with other customers with respect to their data.
2.10 Deletion or return of Data: Upon termination or expiration of these Terms, the Processor shall (at Client’s request) destroy all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing), provided, however, that customer data (including Data) may be retained on backup for a period of up to two (2) years for legal and compliance purposes. Notwithstanding the foregoing, the Processor shall not reduce the security measures at any time until such Data is permanently deleted.
2.11 General cooperation to remediate: In the event that Applicable Data Protection Law, or a data protection authority or regulator, provides that the transfer or processing of Personal Data under these Terms is no longer lawful or otherwise permitted, then the Parties shall agree to remediate the processing (by amendment to these Terms or otherwise) to the extent practical in order to meet the necessary standards or requirements. If the Processor is unable to remediate the processing, then the Client will be entitled to terminate usage of the Conformio service (and any other agreement between the Parties relating to the provision of services by the Processor to the Client) without penalty.
3.1 The obligations placed upon the Processor under these Terms shall survive so long as the Processor and/or its sub-Processors process Personal Data on behalf of the Client.
ANNEX 1: DETAILS OF PROCESSING OF CONTROLLER’S PERSONAL DATA
This Annex 1 includes certain details of the processing of the Controller’s Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the processing of Controller’s Personal Data.
The nature and purpose of the processing of the Controller’s Personal Data: hosting virtual servers for providing the Conformio Software-as-a-Service.
The types of Controller’s Personal Data to be processed: email, name, and other Personal Data provided to the Processor by the Controller or by the Controller’s end users.
The categories of Data Subject to whom the Controller’s Personal Data relates: Registered users of the Conformio Software-as-a-Service.
ANNEX 2: DESCRIPTION OF THE TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES IMPLEMENTED BY THE PROCESSOR
Description of the technical and organizational security measures implemented by the Processor:
1. Physical Access Controls: The Processor shall take reasonable measures to prevent physical access, in order to prevent unauthorized persons from gaining access to Personal Data.
2. System Access Controls: The Processor shall take reasonable measures to prevent Personal Data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords, authorization processes, and control of access.
3. Data Access Controls: The Processor shall take reasonable measures to ensure that Personal Data is accessible and manageable only by properly authorized staff, that any direct database query access is restricted to authorized personnel, and that application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access; and, that personal data is prohibited from being read, copied, modified, or removed without authorization in the course of processing.
4. Transmission Controls: The Processor shall take reasonable measures to ensure that Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.
5. Input Controls: The Processor shall take reasonable measures to ensure that it is possible to check and establish whether Personal Data has been entered into data processing systems, modified, or removed, and by whom. The Processor shall also take reasonable measures to ensure that (i) the Personal Data source is under the control of the data exporter; and (ii) Personal Data integrated into the Processor’s systems is managed by secured file transfer from the Processor and the Data Subject.
6. Data Backup: The Processor shall ensure that backups are taken on a regular basis, are secured, and are encrypted when storing Personal Data to protect against accidental destruction or loss when hosted by the Processor.