Data Processing Addendum

DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) forms part of the Terms of Service Agreement (the “Agreement”) between the Customer (“Customer”) and Authentic8, Inc. (“Authentic8”) (collectively the “Parties”).  

Subject Matter and Duration. 

1.1    Subject Matter. This Addendum reflects the Parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Authentic8’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.

1.2    Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the Parties sign this Addendum if it is completed after the effective date of the Agreement. Authentic8 will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Authentic8’s obligations and Customer’s rights under this Addendum will continue in effect so long as Authentic8 Processes Customer Personal Data. 

2. Definitions. 

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

2.1    “Customer Personal Data” means Personal Data Processed by Authentic8 on behalf of Customer. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Appendix 1 attached hereto.

2.2    “Data Protection Laws” means all applicable state, federal, and international data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”) after its effective date on January 1, 2020 and the EU General Data Protection Regulation 2016/679 (“GDPR”). 

2.3    “Personal Data” shall have the meaning assigned to the terms “personal data” and/or “personal information” under Data Protection Laws.

2.4    “Process” or “Processing” means any operation or set of operations which is performed on Customer Personal Data or sets of Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

2.5    “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data that is attributable to Authentic8. 

2.6    “Services” means the services that Authentic8 performs under the Agreement. 

2.7    “Third Party(ies)” means Authentic8’s authorized contractors, agents, vendors and third party service providers (i.e., sub-processors) that Process Customer Personal Data.

3. Data Use and Processing.

3.1    Documented Instructions. Authentic8 and its Third Parties shall Process Customer Personal Data only in accordance with the documented instructions of Customer (provided such instructions are provided prior to the effective date of this Data Processing Addendum, or expressly agreed to in writing by Authentic8 thereafter) or as specifically authorized by this Addendum, the Agreement, or any applicable Statement of Work. Authentic8 will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between such instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with such instructions.

3.2    Authorization to Use Third Parties. To the extent necessary to fulfill Authentic8’s contractual obligations under the Agreement or any Statement of Work, Customer hereby authorizes (i) Authentic8 to engage Third Parties and (ii) Third Parties to engage sub-processors.

3.3    Authentic8 and Third Party Compliance. Authentic8 agrees to (i) enter into an agreement with Third Parties regarding such Third Parties’ Processing of Customer Personal Data that imposes on such Third Parties data protection and security requirements for Customer Personal Data that are compliant with Data Protection Laws; and (ii) remain responsible to Customer for Authentic8’s Third Parties’ failure to perform their obligations with respect to the Processing of Customer Personal Data. 

3.4    Notice of New Third Parties. Where required by Data Protection Laws, Authentic8 will notify Customer prior to engaging any new Third Parties that Process customer Personal Data by updating its list of Third Parties available at: https://www.authentic8.com/third-party-processors/

3.5    Confidentiality. Any person authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality. 

3.6     Personal Data Inquiries and Requests. Where required by Data Protection Laws, Authentic8 agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.

3.7    Sale of Customer Personal Data Prohibited. Authentic8 shall not sell Customer Personal Data as the term "sell" is defined by the CCPA. Authentic8 shall not disclose or transfer Customer Personal Data to a Third Party or other parties that would constitute “selling” as the term is defined by the CCPA.

3.8    Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Authentic8 agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by Authentic8 requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.

3.9    Demonstrable Compliance. Authentic8 agrees to keep records of its Processing in compliance with Data Protection Laws and provide any necessary records to Customer to demonstrate compliance with this Addendum upon reasonable request.

4. Cross-Border Transfers of Personal Data. 

4.1   Cross-Border Transfers of Personal Data. Customer authorizes Authentic8 and its Third Parties to transfer Customer Personal Data across international borders, including from the European Economic Area to the United States (and vice versa). Where required, cross-border transfers of Customer Personal Data must be supported by an approved adequacy mechanism.

4.2   Certification by Non-EMEA Customers. If Customer’s billing address is outside EMEA, and the processing of Customer Personal Data is subject to European Data Protection Law, Customer will certify as such, and identify its competent Supervisory Authority in writing to Authentic8, as applicable.

4.3   Standard Contractual Clauses. Customer and Authentic8 will use Module 2 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses (“SCCs”) to support the transfer of Customer Personal Data, the terms of which are herein incorporated by reference. The audits described in sub-sections (c) and (d) to sub-clause 8.9 (Documentation and Compliance) of the SCCs shall be carried out in accordance with Section 7 of this Addendum. Pursuant to clause 9(a) option 2 of the SCCs, Customer agrees that Authentic8 may engage new Third-Parties in accordance with Section 3.2 – 3.4 of this Addendum. The subprocessor agreements referenced in clause 9(c) and certification of deletion referenced in clause 16(d) of the SCCs shall be provided by Authentic8 only upon Customer’s written request. The optional clauses are expressly not included. Each party’s signature to the Agreement shall be considered a signature to the SCCs. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the SCCs as separate documents.  

4.4   SCC Annex I.A - List of parties. 

Data exporter:

• Name: Customer 
  Address: As specified in Agreement.
  Contact person’s name, position and contact details: Contact details for the data exporter are specified in the Agreement.
  Activities relevant to the data transferred under the SCCs: The data importer provides the Services to the data exporter in accordance with the Agreement. 
  Signature and date: The parties agree that execution of the Agreement and certification by the data exporter in relation to the Services under Section 4.2 of this Agreement shall constitute execution of these Clauses by both parties. 
  Role (controller/processor): controller 
  Data importer:
• Name: Authentic8
  Address: As specified in the Agreement. 
  Contact person’s name, position and contact details: Contact details for the data importer are specified in the Agreement. The data importer’s data protection team can be contacted as described in https://www.authentic8.com/gdpr-imprint, as applicable. 
  Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
  Signature and date: The parties agree that execution of the Agreement and certification by the data exporter in relation to the Services under Section 4.2 of this Agreement shall constitute execution of these Clauses by both parties.
  Role (controller/processor): processor 

 

4.5   SCC Annex I.B - Description of transfer. A description of the categories, duration, nature, and purpose of processing is provided in Appendix 1.

4.6   SCC Annex I.C - Competent supervisory authority. The authority identified by the data exporter as its competent supervisory authority in writing to Authentic8.

4.7   SCC Annex II - Technical and organizational measures including technical and organizational measures to ensure the security of the data. The data importer will implement and maintain security standards at least as protective as those set out in Section 5 of this Data Processing Addendum, as applicable. 

4.8   SCC Annex III - List of subprocessors. The controller has authorized the use of the subprocessors identified at https://www.authentic8.com/third-party-processors. 

4.9   SCC Annex IV - Supplementary terms for Swiss FDPA transfers only. The following terms supplement the SCCs only if and to the extent the Clauses apply with respect to data transfers subject to the Federal Data Protection Act of 19 June 1992 (Switzerland):

• 4.9.1   The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.

• 4.9.2   If the relevant data transfers are exclusively subject to the Federal Data Protection Act of 19 June 1992 (Switzerland), the competent supervisory authority/ies for purposes of Annex I.C (Competent Supervisory Authority) of the Clauses will be the Federal Data Protection and Information Commissioner in Switzerland (or its replacement or successor).

4.10   SCC Annex V - Supplementary terms for UK GDPR transfers only. If and only to the extent the SCCs apply with respect to data transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) supplements the SCCs.

5. Information Security.
5.1    Information Security Policy. Authentic8 shall maintain a comprehensive written information security policy. 

5.2    Information Security Program. Authentic8 agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data in accordance with Data Protection Laws (the “Information Security Program”). In accordance with Customer’s self-configuration for the Services, such measures shall include, as appropriate: Access control mechanisms that limit access to Customer Personal Data to personnel with a business need to know; 

5.2.1    Pseudonymisation of Customer Personal Data and encryption of Customer Personal Data in transit and at rest; 

5.2.2    The ability to ensure the ongoing confidentiality, integrity, availability of Authentic8’s Processing and Customer Personal Data; 

5.2.3    The ability to restore the availability and access to Customer Personal Data in the event of a physical or technical incident; 

5.2.4    A process for regularly evaluating and testing the effectiveness of the Authentic8’s Information Security Program to ensure the security of Customer Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. 

6. Security Incidents. 

6.1    Notice. Upon becoming aware of a Security Incident, Authentic8 agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer’s Designated POC. To the extent practicable Authenticate will exercise good faith efforts to include available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. 

7. Audits. 

Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may, not more than once annually, carry out an inspection of Authentic8’s policies, procedures, and records with respect to the Processing of Customer Personal Data to the extent permitted by the applicable Data Protection Laws.  Notwithstanding the foregoing, Customer must provide Authentic8 forty-five (45) days written notice of such intention to audit, conduct its audit during normal business hours, and take reasonable measures necessary to prevent unnecessary disruption to Authentic8’s operations, and any such audit shall be subject to Authentic8’s security and confidentiality terms and guidelines. Customer shall be responsible for any costs arising from such audit. 

8.Data Deletion. 

At the expiry or termination of the Agreement, Authentic8 will, at Customer’s option, delete all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Authentic8’s data retention schedule), except where Authentic8 is required to retain copies under applicable laws, in which case Authentic8 will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws. 

9. Contact Information.
Authentic8 and the Customer agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for both parties are:

• Authentic8 Designated POC: security@authentic8.com

• Customer Designated POC:

Appendix 1

1.1 Subject Matter Processing	The subject matter of Processing is the Services pursuant to the Agreement, including:   Processing of user account information for authorization and access to the Services. For Services not configured for Single Sign On (SSO)/SAML 2.0, and which require two-factor authentication, Customer user account Processing may include individual user telephone numbers.   Processing of web activity logs that can be attributed to individual Customer user accounts.1   When configured by Customer users, and if allowed by configured policy within the Services, Processing includes web resource usernames and passwords to facilitate web resource access.   When configured by Customer users, and if allowed by configured policy within the Services, Processing may involved web resource preferences (e.g., bookmarks, “favorites”, etc.).
1.2 Duration of Processing	The Processing will continue until the expiration or termination of the Agreement plus applicable periods of data retention applied by Authentic8 to meet Business Continuity and Backup and Recovery requirements. User logs are processed on a revolving 91 day basis, where logs are stored for 91 days beyond the date/time they are generated and are then deleted.
1.3 Categories of Data Subjects	Includes the following: Prospects, customers, business partners and vendors of Customer (who are natural persons) Employees or contact persons of Customer’s prospects, customers, business partners and vendors Employees, agents, advisors, freelancers of Customer (who are natural persons) Customer’s users authorized by Customer to use the Services
1.4 Nature and Purpose of Processing	Includes the following: The recording, organization, structuring, storage, transmission, and use of Customer Personal Data in the performance of the Services pursuant to the Agreement.
1.5 Types of Customer Personal Data	Customer Personal Data includes the following:  Customer user account information may include Customer Personal Data unless the Customer configures accounts according to privacy-oriented best practices (e.g., use of pseudonymized first and last names, use of SSO/SAML, use of general customer-managed email, etc.).  User account fields, by default, may store the following types of Customer Personal Data: first and last name, email address, and telephone number. Depending on the configured policy settings, the Services may store individual web resource usernames and passwords. Depending on Customer’s usage of the Services, user logs may contain personal data corresponding to the nature of the web activity. For the purpose of clarity, Customer Personal Data shall not include Cardholder Data (as defined by the Payment Card Industry Data Security Standard) and/or Protected Health Information (as defined by the Health Insurance Portability and Accountability Act of 1996).