Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the Evisort Terms and Conditions, available at www.evisort.com/terms (“Agreement”) between Evisort Inc. (“Evisort”) acting on its own behalf and as agent for each Evisort Affiliate (as defined below) and the Customer identified in the Order Form (“Customer”) acting on its own behalf and as agent for each Customer Affiliate.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

Should you require an executed and signed version of this Addendum, you can email [email protected] to request it.

The parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws (as defined below) with regard to the relevant Customer Personal Data (as defined below), if applicable.

1. Definitions.
   1.1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or Evisort respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
   1.2. “Controller,” “Processor,” “Data Subject,” “Processing,” “Supervisory Authority,” “Personal Data Breach,” and “Special Categories of Personal Data” shall have the same meaning as in the applicable Data Protection Law.
   1.3. “Customer Personal Data” means Personal Data received from or on behalf of Customer that is covered by a Data Protection Law.
   1.4. “Data Protection Laws” means: (i) the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”); and (ii) the EU General Data Protection Regulation 2016/679 (“GDPR”), as well as any other applicable national rule and legislation on the protection of personal data in the European Union that is already in force or that will come into force during the term of this Addendum, and any data protection laws substantially amending, replacing or superseding the GDPR following any exit by the United Kingdom from the European Union, or, and to the extent applicable, the data protection or privacy laws of any other Member State of the European Economic Area.
   1.5. “EEA” means the European Economic Area as well as any country for which the European Commission has published an adequacy decision as published at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.
   1.6. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
   1.7. “Restricted Transfer” means the onward transfer of Customer Personal Data that is located in the European Economic Area to Evisort in a country that is not in the EEA, where such transfer would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses or another adequate transfer mechanism as approved by the European Commission.
   1.8. “Standard Contractual Clauses” means the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection (available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087), as amended from time to time.
   1.9. “Subprocessor” means any Processor (including any third party and any Evisort Affiliate) appointed by Evisort to Process Customer Personal Data on behalf of Customer or any Customer Affiliate.
2. Data Processing Terms. While providing the Services to Customer and Customer Affiliates pursuant to the Agreement, Evisort and Evisort Affiliates may Process Customer Personal Data on behalf of Customer or any Customer Affiliate as per the terms of this Addendum. Evisort agrees to comply with the following provisions with respect to any Customer Personal Data submitted by or for Customer or any Customer Affiliate to the Services or otherwise collected and Processed by or for Customer or any Customer Affiliate by Evisort or any Evisort Affiliate. Evisort shall only retain, use, or disclose Customer Personal Data as necessary for Evisort’s performance of its obligations under the Agreement and only in accordance with Customer’s instructions. Evisort shall not sell any Customer Personal Data as the term “selling” is defined in the CCPA. Evisort shall not take any action that would cause any transfers of Customer Personal Data to or from Evisort to qualify as “selling personal information” under the CCPA.
3. Processing of Customer Personal Data. Evisort shall not Process Customer Personal Data other than on Customer’s documented instructions unless Processing is required by Data Protection Laws to which Evisort is subject, in which case Evisort shall to the extent permitted by Data Protection Laws inform Customer of that legal requirement before Processing Customer Personal Data. For the avoidance of doubt, the Agreement and any related SOW entered into by Customer shall constitute documented instructions for the purposes of this Addendum. Customer is solely responsible for the accuracy of Customer Personal Data and the legality of the means by which Customer acquires Customer Personal Data. Customer shall be responsible for: (1) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and Evisort’s Processing of Customer Personal Data; and (2) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to Evisort and to permit the processing of such Customer Personal Data by Evisort for the purposes of performing Evisort’s obligations under the Agreement or as may be required by Data Protection Laws. Customer shall notify Evisort of any changes in, or revocation of, the permission to use, disclose, or otherwise process Customer Personal Data that would impact Evisort’s ability to comply with the Agreement, or applicable Data Protection Laws.
4. Confidentiality. Evisort shall take reasonable steps to ensure that individuals that process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Evisort shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, at a minimum, those security practices described in Exhibit 1. Customer acknowledges that, through its users, Customer: (1) controls the type and substance of Customer Personal Data; and (b) sets user permissions to access Customer Personal Data; and therefore, Customer is responsible for reviewing and evaluating whether the documented functionality of the Services meets Customer’s required security obligations relating to Customer Personal Data under Data Protection Laws.
6. Subprocessing. Evisort may engage Subprocessors in connection with the provision of the Services, provided that: (1) Evisort has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this Addendum with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Subprocessor; and (2) Evisort shall be liable for the acts and omissions of its Subprocessors to the same extent Evisort would be liable if performing the Services of each Subprocessor directly under the terms of this Addendum. Evisort current list of Subprocessors for the Services is available at https://evisort.com/subprocessors (“Subprocessor List”), which Customer hereby approves and authorizes. Evisort may engage additional Subprocessors as Evisort considers reasonably appropriate for the Processing of Customer Personal Data in accordance with this Addendum, provided that Evisort shall notify Customer of the addition or replacement of Subprocessors through a mechanism, accessible within the Subprocessor List, by which Customer may subscribe to notifications of new Subprocessors (the “Subprocessor Notification Mechanism”). If Customer does not subscribe to receive notifications through the Subprocessor Notification Mechanism, Customer shall be deemed to have waived its right to receive notification of new Subprocessors and Customer shall be responsible for periodically checking the Subprocessor List to remain informed of Evisort’s current list of Subprocessors. Customer may, on reasonable grounds, object to a new Subprocessor by notifying Evisort in writing within 10 days of Evisort updating the Subprocessor List, giving reasons for Customer’s objection. Customer’s failure to object within such 10 day period shall be deemed Customer’s waiver of its right to object to Evisort’s use of a new Subprocessor added to the Subprocessor List. In the event Customer objects to a new Subprocessor, Evisort will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Personal Data by the objected to new Subprocessor without unreasonably burdening Customer. If Evisort is unable to make available such change within a reasonable period of time, which shall not exceed 30 days, Customer may terminate, as Customer’s sole and exclusive remedy, the portion of the Agreement with respect only to those Services which cannot be provided by Evisort without the use of the objected to new Subprocessor by providing written notice to Evisort.
7. Data Subject Rights. Evisort shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Laws in respect to Customer Personal Data. In the event that any Data Subject exercises any of its rights under the Data Protection Laws in relation to Customer Personal Data and to the extent that Customer is unable to act on such request on its own, Evisort will shall use reasonable commercial efforts to assist Customer in fulfilling its obligations as Controller following written request from Customer, provided that Evisort may charge Customer on a time and materials basis in the event that Evisort considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
8. Personal Data Breach. In the event of a Personal Data Breach, Evisort will notify Customer without undue delay after becoming aware of the Personal Data Breach. Such notification may be delivered to an email address provided by Customer or by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the appropriate notification contact details are current and valid. Evisort will take reasonable steps to provide Customer with information available to Evisort that Customer may reasonably require to comply with its obligations as Controller to notify impacted Data Subjects or Supervisory Authorities.
9. Data Protection Impact Assessment and Prior Consultation. In the event that Customer considers that the Processing of Customer Personal Data requires a privacy impact assessment to be undertaken or requires assistance with any prior consultations to any Supervisory Authority of Customer, following written request from Customer, Evisort shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, provided that Evisort may charge Customer on a time and materials basis in the event that Evisort considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
10. Deletion or Return of Customer Personal Data. Unless otherwise required by applicable Data Protection Laws, following termination or expiration of the Agreement Evisort shall, at Customer’s option, delete or return all Customer Personal Data and all copies to Customer. Any data deleted may remain in an immutable electronic backups maintained by Evisort used purely for backup, disaster recovery and data protection purposes for up to an additional 90 days beyond any such deletion or certification.
11. Relevant Records and Audit Rights. Evisort will use external auditors to annually audit and verify the adequacy of its security measures and controls (“Audit”). The Audit will be performed by independent third party security professionals and include testing of the security measures and controls, performed according to AICPA SOC2 standards or such other alternative standards substantially equal to AICPA SOC2, that results in the generation of, at a minimum, a SOC2 report or the substantive equivalent. The reports generated by the Audit (“Reports”) will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. To the extent required by Data Protection Laws and if Customer requires information in addition to the Reports, Evisort shall make available to Customer on request all information reasonably necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by Customer or an auditor mandated by Customer, not being competitors of Evisort (“Mandated Auditor”) of any premises where the Processing of Customer Personal Data takes place in order to assess compliance with this Addendum (a “Customer Audit”). Evisort shall provide reasonable cooperation to Customer with respect to a Customer Audit. Evisort shall promptly inform Customer if, in its opinion, a Customer Audit infringes the Data Protection Laws or any other confidentially obligations with Evisort’s other customers. Customer agrees that: (1) a Customer Audit may only occur during normal business hours, and where possible only after reasonable notice to Evisort (not less than 20 days’ advance written notice); (2) a Customer Audit will be conducted in a manner that does not have any adverse impact on Evisort’s normal business operations; (3) Customer and any Mandated Auditor will comply with Evisort’s standard safety, confidentiality, and security procedures in conducting any Customer Audit; and (4) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any Customer Audit will be deemed to be the Confidential Information of Evisort. To the extent any Customer Audit incurs in excess of 10 hours of Evisort personnel time, Evisort may charge Customer on a time and materials basis for any such excess hours.
12. International Data Transfer. With respect to Restricted Transfers, the parties will conduct such Restricted Transfer in accordance all applicable laws. The parties hereby agree to the Standard Contractual Clauses (which will be deemed executed by the parties as of the effective date of this Addendum), and the following terms will apply: (1) Customer will be referred to as the “Data Exporter” and Evisort will be referred to as the “Data Importer” in such clauses with relevant company name and address details from the Agreement being used accordingly; (2) details in the Agreement and any Order Form will be used to complete Appendix 1 of the Standard Contractual Clauses; (3) details in Section 5 (Security) and Exhibit 1 of this DPA will be used to complete Appendix 2 of the Standard Contractual Clauses. If there is any conflict between this Addendum or the Agreement and the Standard Contract Clauses, the Standard Contract Clauses will prevail.
    12.1. Instructions. For the purposes of Section 2 of this Addendum and Clause 5(a) of the Standard Contractual Clauses, the following acts are deemed an instruction by the Customer to process Personal Data: (a) Customer’s entering into the Agreement and applicable Orders Forms are deemed instructions to Process Personal Data as is necessary to perform Services under the Agreement; (b) Users actions that initiate Processing while using the Services; and (c) Customer’s other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
    12.2. Engagement of New Subprocessors. Pursuant to Clause 5(h) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that Evisort may engage new Subprocessors as described in this Addendum.
    12.3. Copies of Subprocessor Agreements. The parties agree that Evisort may redact the copies of the Subprocessor agreements that must be provided by Evisort to Customer pursuant to Clause 5(j) of the Standard Contractual Clauses to remove commercial information, confidential information, and clauses unrelated to the Standard Contractual Clauses or their equivalent. Evisort will provide copies of the Subprocessor agreements, only upon request by Customer.
    12.4. Audits and Certifications. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with the specifications described in this Addendum.
    12.5. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by Evisort to Customer only upon Customer’s request.
13. General Terms. Any obligation imposed on Evisort under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (2) construed in a manner as if the invalid or unenforceable part had never been contained therein. With regard to the subject matter of this Addendum, the provisions of this Addendum shall prevail over the Agreement with regard to data protection obligations for Personal Data of a Data Subject under Data Protection Laws. As between the parties to this Addendum, each party’s liability and remedies under this Addendum are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement. Unless prohibited by Data Protection Laws, this Addendum is governed by the laws stipulated in the Agreement and the parties to this Addendum hereby submit to the choice of jurisdiction and venue stipulated in the Agreement, if any, with respect to any dispute arising under this Addendum.

EXHIBIT 1: SECURITY PRACTICES AT EVISORT

1. SECURITY PROTOCOLS
   1.1 Information Security Program. Evisort shall maintain a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the processing and security of Customer Content and the Evisort systems or networks used to process or secure Customer Content in connection with providing the Services (“Evisort Information Systems”). Subcontractors engaged by Evisort in accordance with this agreement will maintain (at a minimum) substantially similar levels of security as applicable and required by these Security Practices.
   1.2 Security Controls. In accordance with its information security program, Evisort shall implement appropriate physical, organizational, and technical controls designed to (a) ensure the security, integrity, and confidentiality of Customer Content accessed, collected, used, stored, or transmitted to or by Evisort, and (b) protect Customer Content from known or reasonably anticipated threats or hazards to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of processing. Without limiting the foregoing, Evisort will, as appropriate, utilize the following controls:
   (a) Firewalls. Evisort will install and maintain firewall(s) to protect data accessible via the Internet.
   (b) Updates. Evisort will maintain programs and routines to keep the Evisort information systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications
   (c) Anti-malware. Evisort will deploy and use anti-malware software and will keep the anti-malware software up to date. Evisort will use such software to mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably be detected.
   (d) Testing. Evisort will regularly test its security programs, processes, and controls to ensure they meet the requirements of these Security Practices.
   (e) Access Controls. Evisort will secure data in production Evisort Information Systems by complying with the following:
   (i) Evisort will assign a unique ID to each individual with access to systems processing Customer Content.
   (ii) Evisort will restrict access to systems with Customer Content to only those individuals necessary to perform a specified obligation as permitted by this Agreement.
   (iii) Evisort will regularly review the list of individuals and services with access to systems processing Customer Content and remove accounts that no longer require access.
   (iv) Evisort will not use manufacturer supplied defaults for system passwords on any operating systems, software, or other systems, and will mandate the use of system-enforced “strong passwords” in accordance with or exceeding the best practices (described below) on all systems processing Customer Content.
   (v) At a minimum, Evisort production passwords will (i) contain at least eight (8) characters; include at least one capitalized and one lowercase letter, at least one number, and one special symbol; and (ii); be changed whenever an account compromise is suspected or assumed.
   (vi) Evisort will enforce account lockout by requiring additional validation or disabling access to Customer Content when an account exceeds a designated number of incorrect password attempts in a certain period of time.
   (f) Policies. Evisort will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for employees, subcontractors, agents and suppliers that meet the standards set forth in these Security Practices, including methods to detect and log policy violations.
   (g) Development. Development and testing environments for Evisort Information Systems will be separate from production environments.
   (h) Encryption. Evisort will utilize cryptographic standards mandating authorized algorithms, key length requirements, and key management processes that are consistent with or exceed then-current industry standards, including NIST recommendations, and utilize hardening and configuration requirements consistent in approach with then-current industry standards, including SANS Institute, NIST, or Center for Internet Security (CIS) recommendations. Pursuant to such standards, Evisort will encrypt Customer Content at rest within the online Services and only allow encrypted connections to the online Service for the transfer of Customer Content.
   (i) Remote Access. Evisort will ensure that any access from outside of its protected corporate or production environments to a system or systems processing Customer Content or to Evisort’s corporate or development workstation networks will require appropriate connection controls, such as VPN or multi-factor authentication.
2. SYSTEM AVAILABILITY. Evisort will maintain (or, with respect to systems controlled by its subcontractors, ensure that such subcontractors maintain) a disaster recovery (“DR”) program designed to recover the Service’s availability following a disaster. At a minimum, such DR program will include the following elements: (a) routine validation of procedures to regularly and programmatically create retention copies of Customer Content for the purpose of recovering lost or corrupted data; (b) inventories, updated at minimum annually, that list all critical Evisort Information Systems; (c) annual review and update of the DR program; and (d) annual testing of the DR program designed to validate the DR procedures and recoverability of the service detailed there
3. SECURITY INCIDENTS.
   3.1 Procedure. If Evisort becomes aware of confirmed unauthorized or unlawful access to any Customer Content processed by Evisort Information Systems (a “Security Incident”), Evisort will promptly (a) notify Customer of the Security incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
   3.2 Unsuccessful Attempts. An unsuccessful attack or intrusion is not a Security Incident subject to this Section 3. An “unsuccessful attack or intrusion” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents.
   3.3 User Involvement. Unauthorized or unlawful access to Customer Content that results from the compromise of a User’s login credentials or from the intentional or inadvertent disclosure of Customer Content by a User is not a Security Incident.
   3.4 Notifications. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s Admin users by any reasonable means Evisort selects, including email, as time is typically of the essence. Customers are solely responsible for maintaining accurate contact information in the online Service at all times.
   3.5 Disclaimer. Evisort’s obligation to report or respond to a Security Incident under this Section 3 is not an acknowledgement by Evisort of any fault or liability of Evisort with respect to the Security Incident.
4. AUDITING AND REPORTING.
   4.1 Monitoring. Evisort monitors the effectiveness of its information security program on an ongoing basis by conducting various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls.
   4.2 Audit Reports. Evisort uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Services provided under the Agreement. The resulting audit will: (a) include testing of the entire measurement period since the previous measurement period ended; (b) be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) be performed by independent third party security professionals at Evisort’s selection and expense; and (d) result in the generation of a SOC2 or SOC3 report (“Audit Report”), which will be Evisort’s Confidential Information. The Audit Report will be made available to Customer upon written request no more than annually, subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. Customer may also request a SOC 3 report, which, if available from Evisort, will not be subject to such confidentiality obligations but shall attest to the external auditor’s verification and findings. For the avoidance of doubt, each Audit Report will only discuss Services in existence at the time the Audit Report was issued; subsequently released Services, if within the scope of the Audit Report, will be in the next annual iteration of the Audit Report.
   4.3 Penetration Testing. Evisort uses external security experts to conduct penetration testing of certain online Services, including the Services. Such testing will: (a) be performed at least annually; (b) be performed by independent third party security professionals at Evisort’s selection and expense; and (c) result in the generation of a penetration test report (“Pen Test Report”), which will be Evisort’s Confidential Information. Pen Test Summary Reports or attestation letters attesting to the same will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.
   4.4 Worldwide Bug Bounty Program. Evisort shall maintain a bug bounty program to proactively detect bugs and vulnerabilities on a proactive basis. The program will operate such that external security experts shall have access to a production-like version of the software by which the Services are provided, with such experts incentivized and rewarded for finding vulnerabilities with monetary rewards. This program will be run on a continuous basis with rewards available at all time to the security experts participating in the program.