Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service Agreement (the “Agreement”) between the Customer (“Customer”) and Authentic8, Inc. (“Authentic8”) (collectively the “Parties”).

  1. Subject Matter and Duration.
    1. Subject Matter. This Addendum reflects the Parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Authentic8’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.
    2. Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the Parties sign this Addendum if it is completed after the effective date of the Agreement. Authentic8 will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Authentic8’s obligations and Customer’s rights under this Addendum will continue in effect so long as Authentic8 Processes Customer Personal Data.
  2. Definitions.
    For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
    1. “Customer Personal Data” means Personal Data Processed by Authentic8 on behalf of Customer. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Appendix 1 attached hereto.
    2. “Data Protection Laws” means all applicable state, federal, and international data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”) after its effective date on January 1, 2020 and the EU General Data Protection Regulation 2016/679 (“GDPR”).
    3. “Personal Data” shall have the meaning assigned to the terms “personal data” and/or “personal information” under Data Protection Laws.
    4. “Process” or “Processing” means any operation or set of operations which is performed on Customer Personal Data or sets of Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    5. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data that is attributable to Authentic8.
    6. “Services” means the services that Authentic8 performs under the Agreement.
    7. “Third Party(ies)” means Authentic8’s authorized contractors, agents, vendors and third party service providers (i.e., sub-processors) that Process Customer Personal Data.
  3. Data Use and Processing.
    1. Documented Instructions. Authentic8 and its Third Parties shall Process Customer Personal Data only in accordance with the documented instructions of Customer (provided such instructions are provided prior to the effective date of this Data Processing Addendum, or expressly agreed to in writing by Authentic8 thereafter) or as specifically authorized by this Addendum, the Agreement, or any applicable Statement of Work. Authentic8 will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between such instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with such instructions.
    2. Authorization to Use Third Parties. To the extent necessary to fulfill Authentic8’s contractual obligations under the Agreement or any Statement of Work, Customer hereby authorizes (i) Authentic8 to engage Third Parties and (ii) Third Parties to engage sub-processors.
    3. Authentic8 and Third Party Compliance. Authentic8 agrees to (i) enter into an agreement with Third Parties regarding such Third Parties’ Processing of Customer Personal Data that imposes on such Third Parties data protection and security requirements for Customer Personal Data that are compliant with Data Protection Laws; and (ii) remain responsible to Customer for Authentic8’s Third Parties’ failure to perform their obligations with respect to the Processing of Customer Personal Data.
    4. Notice of New Third Parties. Where required by Data Protection Laws, Authentic8 will notify Customer prior to engaging any new Third Parties that Process customer Personal Data by updating its list of Third Parties available at: https://www.authentic8.com/third-party-processors/
    5. Confidentiality. Any person authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
    6. Personal Data Inquiries and Requests. Where required by Data Protection Laws, Authentic8 agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.
    7. Sale of Customer Personal Data Prohibited. Authentic8 shall not sell Customer Personal Data as the term "sell" is defined by the CCPA. Authentic8 shall not disclose or transfer Customer Personal Data to a Third Party or other parties that would constitute “selling” as the term is defined by the CCPA.
    8. Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Authentic8 agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by Authentic8 requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
    9. Demonstrable Compliance. Authentic8 agrees to keep records of its Processing in compliance with Data Protection Laws and provide any necessary records to Customer to demonstrate compliance with this Addendum upon reasonable request.
  4. Cross-Border Transfers of Personal Data.
    1. Cross-Border Transfers of Personal Data. Customer authorizes Authentic8 and its Third Parties to transfer Customer Personal Data across international borders, including from the European Economic Area to the United States (and vice versa). Where required, cross-border transfers of Customer Personal Data must be supported by an approved adequacy mechanism.
    2. Standard Contractual Clauses. Customer and Authentic8 will use the European Commission Decision C(2010)593 Standard Contractual Clauses for Controllers to Processors (“Model Clauses”) to support the transfer of Customer Personal Data, the terms of which are herein incorporated by reference. The audits described in Clause 5(f) and Clause 12(2) of the Model Clauses shall be carried out in accordance with Section 7 of this Addendum. Pursuant to clause 5(h) of the Model Clauses, Customer agrees that Authentic8 may engage new Third-Parties in accordance with Section 3.2 – 3.4 of this Addendum. The subprocessor agreements referenced in Clause 5(j) and certification of deletion referenced in Clause 12(1) of the Model Clauses shall be provided by Authentic8 only upon Customer’s written request. The optional clauses are expressly not included. Each party’s signature to the Agreement shall be considered a signature to the Model Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Model Clauses as separate documents.
  5. Information Security.
    1. Information Security Policy. Authentic8 shall maintain a comprehensive written information security policy. 
    2. Information Security Program. Authentic8 agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data in accordance with Data Protection Laws (the “Information Security Program”). In accordance with Customer’s self-configuration for the Services, such measures shall include, as appropriate: Access control mechanisms that limit access to Customer Personal Data to personnel with a business need to know;
      1. Pseudonymisation of Customer Personal Data and encryption of Customer Personal Data in transit and at rest;
      2. The ability to ensure the ongoing confidentiality, integrity, availability of Authentic8’s Processing and Customer Personal Data;
      3. The ability to restore the availability and access to Customer Personal Data in the event of a physical or technical incident;
      4. A process for regularly evaluating and testing the effectiveness of the Authentic8’s Information Security Program to ensure the security of Customer Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
  6. Security Incidents. 
    1. Notice. Upon becoming aware of a Security Incident, Authentic8 agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer’s Designated POC. To the extent practicable Authenticate will exercise good faith efforts to include available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
  7. Audits. 
    1. Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may, not more than once annually, carry out an inspection of Authentic8’s policies, procedures, and records with respect to the Processing of Customer Personal Data to the extent permitted by the applicable Data Protection Laws. Notwithstanding the foregoing, Customer must provide Authentic8 forty-five (45) days written notice of such intention to audit, conduct its audit during normal business hours, and take reasonable measures necessary to prevent unnecessary disruption to Authentic8’s operations, and any such audit shall be subject to Authentic8’s security and confidentiality terms and guidelines. Customer shall be responsible for any costs arising from such audit.
  8. Data Deletion. 
    1. At the expiry or termination of the Agreement, Authentic8 will, at Customer’s option, delete all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Authentic8’s data retention schedule), except where Authentic8 is required to retain copies under applicable laws, in which case Authentic8 will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.
  9. Contact Information.
    1. Authentic8 and the Customer agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for both parties are:

Appendix 1

1.a Subject Matter Processing
The subject matter of Processing is the Services pursuant to the Agreement, including:
  • Processing of user account information for authorization and access to the Services. For Services not configured for Single Sign On (SSO)/SAML 2.0, and which require two-factor authentication, Customer user account Processing may include individual user telephone numbers.
  • Processing of web activity logs that can be attributed to individual Customer user accounts.1
  • When configured by Customer users, and if allowed by configured policy within the Services, Processing includes web resource usernames and passwords to facilitate web resource access.
  • When configured by Customer users, and if allowed by configured policy within the Services, Processing may involved web resource preferences (e.g., bookmarks, “favorites”, etc.).
 
1.b Duration of Processing
The Processing will continue until the expiration or termination of the Agreement plus applicable periods of data retention applied by Authentic8 to meet Business Continuity and Backup and Recovery requirements. User logs are processed on a revolving 91 day basis, where logs are stored for 91 days beyond the date/time they are generated and are then deleted.
1.3 Categories of Data Subjects
Includes the following:
  • Prospects, customers, business partners and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Customer (who are natural persons)
  • Customer’s users authorized by Customer to use the Services
1.4 Nature and Purpose of Processing
Includes the following:
The recording, organization, structuring, storage, transmission, and use of Customer Personal Data in the performance of the Services pursuant to the Agreement.
1.5 Types of Customer Personal Data                                                                                                                                                                                                                                                                                                                          
Customer Personal Data includes the following:
  • Customer user account information may include Customer Personal Data unless the Customer configures accounts according to privacy-oriented best practices (e.g., use of pseudonymized first and last names, use of SSO/SAML, use of general customer-managed email, etc.).
  • User account fields, by default, may store the following types of Customer Personal Data: first and last name, email address, and telephone number.
  • Depending on the configured policy settings, the Services may store individual web resource usernames and passwords.
  • Depending on Customer’s usage of the Services, user logs may contain personal data corresponding to the nature of the web activity.
  • For the purpose of clarity, Customer Personal Data shall not include Cardholder Data (as defined by the Payment Card Industry Data Security Standard) and/or Protected Health Information (as defined by the Health Insurance Portability and Accountability Act of 1996).