Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (this “Addendum”) forms part of the Evisort Terms and Conditions, available at www.evisort.com/terms-and-conditions (the “Agreement”) between Evisort Inc. (“Evisort”) and the Customer identified in the Order Form (“Customer”).

Capitalized terms used in this Addendum shall have the meanings set forth in this Addendum.  Capitalized terms used but not otherwise defined herein shall have the meanings given to them in the Agreement.  Except as expressly modified below, the terms of the Agreement shall remain in full force and effect.

Should you require an executed and signed version of this Addendum, please fill out the DPA request form at https://forms.gle/t1P8cw4Za6KV7WDq9. You can also email legal@evisort.com.

The parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement.  The following obligations shall only apply to the extent required by Data Protection Laws with regard to the relevant Customer Personal Data, if applicable.

1.        DEFINITIONS.

1.1.   “Controller” means an entity that determines the purposes and means of the Processing of Personal Data.

1.2.   “Customer Personal Data” means Personal Data Processed by Evisort on behalf of Customer to perform the Services under the Agreement.

1.3.   “Data Protection Laws” means the data privacy and security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data under the Agreement including, in each case to the extent applicable, European Data Protection Laws and United States Data Protection Laws.

1.4.   “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

1.5.   “European Data Protection Laws” means, in each case to the extent applicable: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FADP”); and (d) any other applicable law, rule, or regulation related to the protection of Customer Personal Data in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this Addendum. 

1.6.   “Personal Data means information that constitutes “personal information,” “personal data,” “personally identifiable information,” or similar term under Data Protection Laws.

1.7.   “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

1.8.   “Processor” means an entity that Processes Personal Data on behalf of a Controller.

1.9.   “Security Incident” means a breach of Evisort’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Evisort’s possession, custody, or control.  “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

1.10.            “Services” means the services that Evisort has agreed to provide to Customer under the Agreement.

1.11.            “Standard Contractual Clauses means, as applicable, Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) of the standard contractual clauses approved by the European Commission’s implementing decision (C(2021)3972) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 or the European Parliament and of the Council (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), as supplemented or modified by Appendix 3.

1.12.            “Subprocessor means any Processor appointed by Evisort to Process Customer Personal Data on behalf of Customer under the Agreement.

1.13.            “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.

1.14.            “United States Data Protection Laws” means, in each case to the extent applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, when effective, and its implementing regulations (collectively, “CCPA”); (b) the Virginia Consumer Data Protection Act (“VCPDA”), when effective; (c) the Colorado Privacy Act and its implementing regulations (“CPA”), when effective; (d) the Utah Consumer Privacy Act (“UCPA”), when effective; (e) Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”); and (f) any other applicable law or regulation related to the protection of Customer Personal Data in the United States that is already in force or that will come into force during the term of this Addendum.

2. PROCESSING OF CUSTOMER PERSONAL DATA.

2.1.   Roles of the Parties; Compliance.  The parties acknowledge and agree that, as between the parties, with regard to the Processing of Customer Personal Data under the Agreement, Customer is a Controller and Evisort is a Processor.  In some circumstances, the parties acknowledge that Customer may be acting as a Processor to a third-party Controller in respect of Customer Personal Data, in which case Evisort will remain a Processor with respect to the Customer in such event.  Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Customer Personal Data.

2.2.   Customer Instructions.  Evisort will Process Customer Personal Data only in accordance with Customer’s documented instructions unless otherwise required by applicable law, in which case Evisort will inform Customer of such Processing unless notification is prohibited by applicable law.  Customer hereby instructs Evisort to Process Customer Personal Data: (a) to provide the Services to Customer; (b) to perform its obligations and exercise its rights under the Agreement and this Addendum; and (c) as necessary to prevent or address technical problems with the Services.  Evisort will notify Customer if, in its opinion, an instruction of Customer infringes upon Data Protection Laws.  Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws.  Customer shall be responsible for: (i) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and Evisort’s Processing of Customer Personal Data; and (ii) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to Evisort to permit the Processing of such Customer Personal Data by Evisort for the purposes of performing Evisort’s obligations under the Agreement or as may be required by Data Protection Laws.  Customer shall notify Evisort of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Customer Personal Data that would impact Evisort’s ability to comply with the Agreement, this Addendum, or Data Protection Laws. 

2.3.   Details of Processing.  The parties acknowledge and agree that the nature and purpose of the Processing of Customer Personal Data, the types of Customer Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Customer Personal Data are as set forth in Appendix 1.

2.4.   Processing Subject to the CCPA.  As used in this Section 2.4, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Customer Personal Data.  Evisort will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between Customer and Evisort; or (c) combine Personal Information received from, or on behalf of, Customer with Personal Data received from or on behalf of any third party, or collected from Evisort’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA.  Evisort hereby certifies that it understands the foregoing restrictions under this Section 2.4 and will comply with them.  The parties acknowledge that the Personal Information disclosed by Customer to Evisort is provided to Evisort only for the limited and specified purposes set forth in the Agreement and this Addendum.  Evisort will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA.  Customer has the right to take reasonable and appropriate steps to help ensure that Evisort uses the Personal Information transferred in a manner consistent with Customer’s obligations under the CCPA by exercising Customer’s audit rights in Section 8.  Evisort will notify Customer if it makes a determination that Evisort can no longer meet its obligations under the CCPA.  If Evisort notifies Customer of unauthorized use of Personal Information, including under the foregoing sentence, Customer will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with Evisort, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing.

3. CONFIDENTIALITY.  Evisort shall take reasonable steps to ensure that Evisort personnel who Process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such Customer Personal Data.

4. SECURITY.

4.1.   Security Measures.  Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Evisort shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, in accordance with the security standards in Appendix 2 (the “Security Measures”).  Customer acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices, provided that the modifications will not materially decrease Evisort’s security obligations hereunder.

4.2.   Security Incidents.  Upon becoming aware of a confirmed Security Incident, Evisort will: (a) notify Customer of the Security Incident without undue delay after becoming aware of the Security Incident; and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm, and prevent a recurrence.  Evisort will take reasonable steps to provide Customer with information available to Evisort that Customer may reasonably require to comply with its obligations under Data Protection Laws.  Evisort’s notification of or response to a Security Incident under this Section 4.2 will not be construed as an acknowledgement by Evisort of any fault or liability with respect to the Security Incident.

4.3.   Customer Responsibilities.  Customer agrees that, without limitation of Evisort’s obligations under this Section 4, Customer is solely responsible for its use of the Services, including: (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; and (b) securing any account authentication credentials, systems, and devices Customer uses to access or connect to the Services, where applicable.  Without limiting Evisort’s obligations hereunder, Customer is responsible for reviewing the information made available by Evisort relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. 

5. SUBPROCESSING.  Subject to the requirements of this Section 5, Customer generally authorizes Evisort to engage Subprocessors as Evisort considers reasonably appropriate for the Processing of Customer Personal Data.  A list of Evisort’s Subprocessors, including their functions and locations, is available at https://evisort.com/subprocessors (“Subprocessor List”), which may be updated by Evisort from time to time in accordance with this Section 5.  Evisort will notify Customer of the addition or replacement of any Subprocessor at least ten (10) days prior to such engagement through a mechanism, accessible within the Subprocessor List, by which Customer may subscribe to notifications of new Subprocessors (“Subprocessor Notification Mechanism”).  If Customer does not subscribe to receive notifications through the Subprocessor Notification Mechanism, Customer shall be deemed to have waived its right to receive notification of new Subprocessors and Customer shall be responsible for periodically checking the Subprocessor List to remain informed of Evisort’s current list of Subprocessors. Customer may object to such changes on reasonable data protection grounds by providing Evisort written notice of such objection within ten (10) days.  Upon receiving such an objection, where practicable and at Evisort’s sole discretion Evisort will use commercially reasonable efforts to: (a) work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; or (b) take corrective steps requested by Customer in its objection and proceed to use the new Subprocessor.  If Evisort informs Customer that such change or corrective steps cannot be made, Customer may, as its sole and exclusive remedy available under this Section 5, terminate the relevant portion of the Agreement involving the Services which require the use of the proposed Subprocessor by providing written notice to Evisort.  When engaging any Subprocessor, Evisort will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this Addendum.  Evisort shall be liable for the acts and omissions of the Subprocessor to the extent Evisort would be liable under the Agreement and this Addendum.

6. DATA SUBJECT RIGHTS.  Evisort will, taking into account the nature of the Processing of Customer Personal Data and the functionality of the Services, provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as this is possible, as necessary for Customer to fulfill its obligations under Data Protection Laws to respond to requests by Data Subjects to exercise their rights under Data Protection Laws.  Evisort reserves the right to charge Customer on a time and materials basis in the event that Evisort considers that such assistance is onerous, complex, frequent, or time consuming.  If Evisort receives a request from a Data Subject under any Data Protection Laws with respect to Customer Personal Data, Evisort will advise the Data Subject to submit the request to Customer and Customer will be responsible for responding to any such request. 

7. ASSESSMENTS AND PRIOR CONSULTATIONS.  In the event that Data Protection Laws require Customer to conduct a data protection impact assessment, transfer impact assessment, or prior consultation with a Supervisory Authority in connection with Evisort’s Processing of Customer Personal Data, following written request from Customer, Evisort shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, taking into account the nature of Evisort’s Processing of Customer Personal Data and the information available to Evisort.  Evisort reserves the right to charge Customer on a time and materials basis in the event that Evisort considers that such assistance is onerous, complex, frequent, or time consuming.

8. RELEVANT RECORDS AND AUDIT RIGHTS

8.1.   Review of Information and Records.  Evisort will use external auditors to annually audit and verify the adequacy of its security measures and controls (“Audit”). The Audit will be performed by independent third-party security professionals and include testing of the security measures and controls, performed according to AICPA SOC2 standards or such other alternative standards substantially equal to AICPA SOC2, that results in the generation of, at a minimum, a SOC2 report or the substantive equivalent.  The reports generated by the Audit (“Reports”) will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.

8.2.   Audits.  If Customer requires information for its compliance with Data Protection Laws in addition to the information provided under Section 8.1, at Customer’s sole expense and to the extent Customer is unable to access the additional information on its own, Evisort will allow for, cooperate with, and contribute to reasonable assessments and audits, including inspections, by Customer or an auditor mandated by Customer (“Mandated Auditor”), (a “Customer Audit”) provided that (a) Customer provides Evisort with reasonable advance written notice including the anticipated date of the audit, the proposed scope of the audit, and the identity of any Mandated Auditor, which shall not be a competitor of Evisort; (b) Evisort approves the Mandated Auditor in writing, with such approval not to be unreasonably withheld; (c) the audit is conducted during normal business hours and in a manner that does not have any adverse impact on Evisort’s normal business operations; (d) Customer or any Mandated Auditor complies with Evisort’s standard safety, confidentiality, and security policies or procedures in conducting any such audits; (e) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any such audit, or any results of any such audit, will be deemed to be the Confidential Information of Evisort and subject to a nondisclosure agreement to be provided by Evisort; and (f) Customer may initiate such audit not more than once per calendar year unless otherwise required by a Supervisory Authority or Data Protection Laws.  To the extent any Customer Audit incurs in excess of ten (10) hours of Evisort personnel time, Evisort may charge Customer on a time and materials basis for any such excess hours.

8.3.   Results of Audits.  Customer will promptly notify Evisort of any non-compliance discovered during the course of an audit and provide Evisort any reports generated in connection with any audit under this Section, unless prohibited by Data Protection Laws or otherwise instructed by a Supervisory Authority.  Customer may use the audit reports solely for the purposes of meeting Customer’s audit requirements under Data Protection Laws to confirm that Evisort’s Processing of Customer Personal Data complies with this Addendum.

9. DATA TRANSFERS.

9.1.   Data Processing Facilities.  Evisort may, subject to Sections 9.2 and 9.3, Process Customer Personal Data in the United States or anywhere Evisort or its Subprocessors maintains facilities.  Customer is responsible for ensuring that its use of the Services complies with any cross-border data transfer restrictions of Data Protection Laws.

9.2.   European Transfers.  If Customer transfers Customer Personal Data to Evisort that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Customer (as “data exporter”) and Evisort (as “data importer”) agree that the applicable terms of the Standard Contractual Clauses shall apply to and govern such transfer and are hereby incorporated herein by reference.  In furtherance of the foregoing, the parties agree that: (a) the execution of this Addendum shall constitute execution of the applicable Standard Contractual Clauses as of the Addendum Effective Date; (b) the relevant selections, terms, and modifications set forth in Appendix 3 shall apply, as applicable; and (c) the Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis. 

9.3.   Other Jurisdictions.  If Customer transfers Customer Personal Data to Evisort that is subject to Data Protection Laws other than European Data Protection Laws which require the parties to enter into standard contractual clauses to ensure the protection of the transferred Customer Personal Data, and the transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then the parties agree that the applicable terms of any standard contractual clauses approved or adopted by the relevant Supervisory Authority pursuant to such Data Protection Laws shall automatically apply to such transfer and, where applicable, shall be completed on a mutatis mutandis basis to the completion of the Standard Contractual Clauses as described in Section 9.2.

10.  DELETION OR RETURN OF CUSTOMER PERSONAL DATA.  Following termination or expiration of the Agreement, Evisort shall delete Customer Personal Data and all copies, except as required by applicable law.  Any Customer Personal Data deleted may remain in immutable electronic backups maintained by Evisort and used purely for backup, disaster recovery and data protection purposes for up to an additional ninety (90) days beyond any such deletion or certification. Customer may additionally request, up to thirty (30) days after termination, a copy of its Customer Personal Data, which Evisort will provide via an online shared folder. If Evisort retains Customer Personal Data pursuant to applicable law, Evisort agrees that all such Customer Personal Data will continue to be protected in accordance with this Addendum.

11.  GENERAL TERMS.  This Addendum will, notwithstanding the expiration or termination of the Agreement, remain in effect until, and automatically expire upon, Evisort’s deletion or return of all Customer Personal Data.  Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force.  The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.  To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement in relation to the Processing of Customer Personal Data, this Addendum will govern.  Unless otherwise expressly stated herein, the parties will provide notices under this Addendum in accordance with the Agreement, provided that all such notices may be sent via email.  Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement.  This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

 APPENDIX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

1. Subject matter and duration of the Processing of Customer Personal Data

The subject matter and duration of the Processing are as described in the Agreement and the Addendum.

2. Nature and purpose of the Processing of Customer Personal Data

The nature and purpose of the Processing are those activities reasonably required to facilitate or support the provision of the Services as described in the Agreement and the Addendum.

3. The categories of Data Subjects to whom Customer Personal Data relates

The categories of Data Subjects shall be as is contemplated or related to the Processing described in the Agreement, and may include employees of Customer and Customer’s users authorized by Customer to use the Services.

4. The categories of Customer Personal Data

The categories of Customer Personal Data Processed are those categories contemplated in and permitted by Agreement, and may include first and last name, title, position, employer, contact information (email, phone, physical business address), ID data, professional life data, education data, and demographic data (including, but not limited to, race, gender, disability status, and veteran status).

5. The sensitive data included in Customer Personal Data

The parties do not anticipate that Evisort will Process any sensitive data on behalf of Customer.

6. The frequency of Customer’s transfer of Customer Personal Data to Company:

On a continuous basis for the term of the Agreement.

7. The period for which Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

As set forth in the Addendum or the Agreement.

8. For transfers to Subprocessors, the subject matter, nature and duration of the Processing of Customer Personal Data:

As set forth in the Addendum or the Agreement.

 

 APPENDIX 2: SECURITY MEASURES

1. Security Protocols

1.1.   Information Security Program. Evisort shall maintain a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the processing and security of Customer Content and the Evisort systems or networks used to process or secure Customer Content in connection with providing the Services (“Evisort Information Systems”). Subcontractors engaged by Evisort in accordance with this agreement will maintain (at a minimum) substantially similar levels of security as applicable and required by these Security Practices.

1.2.   Security Controls. In accordance with its information security program, Evisort shall implement appropriate physical, organizational, and technical controls designed to (a) ensure the security, integrity, and confidentiality of Customer Content accessed, collected, used, stored, or transmitted to or by Evisort, and (b) protect Customer Content from known or reasonably anticipated threats or hazards to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of processing. Without limiting the foregoing, Evisort will, as appropriate, utilize the following controls:

1.2.1.Firewalls. Evisort will install and maintain firewall(s) to protect data accessible via the Internet.

1.2.2.Updates. Evisort will maintain programs and routines to keep the Evisort information systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications

1.2.3.Anti-malware. Evisort will deploy and use anti-malware software and will keep the anti-malware software up to date. Evisort will use such software to mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably be detected.

1.2.4.Testing. Evisort will regularly test its security programs, processes, and controls to ensure they meet the requirements of these Security Practices.

1.2.5.Access Controls. Evisort will secure data in production Evisort Information Systems by complying with the following:

1.2.5.1.       Evisort will assign a unique ID to each individual with access to systems processing Customer Content.

1.2.5.2.       Evisort will restrict access to systems with Customer Content to only those individuals necessary to perform a specified obligation as permitted by this Agreement.

1.2.5.3.       Evisort will regularly review the list of individuals and services with access to systems processing Customer Content and remove accounts that no longer require access.

1.2.5.4.       Evisort will not use manufacturer supplied defaults for system passwords on any operating systems, software, or other systems, and will mandate the use of system-enforced “strong passwords” in accordance with or exceeding the best practices (described below) on all systems processing Customer Content.

1.2.5.5.       At a minimum, Evisort production passwords will (i) contain at least eight (8) characters; include at least one capitalized and one lowercase letter, at least one number, and one special symbol; and (ii); be changed whenever an account compromise is suspected or assumed.

1.2.5.6.       Evisort will enforce account lockout by requiring additional validation or disabling access to Customer Content when an account exceeds a designated number of incorrect password attempts in a certain period of time.

1.2.6.Policies. Evisort will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for employees, subcontractors, agents and suppliers that meet the standards set forth in these Security Practices, including methods to detect and log policy violations.

1.2.7.Development. Development and testing environments for Evisort Information Systems will be separate from production environments.

1.2.8.Encryption. Evisort will utilize cryptographic standards mandating authorized algorithms, key length requirements, and key management processes that are consistent with or exceed then-current industry standards, including NIST recommendations, and utilize hardening and configuration requirements consistent in approach with then-current industry standards, including SANS Institute, NIST, or Center for Internet Security (CIS) recommendations. Pursuant to such standards, Evisort will encrypt Customer Content at rest within the online Services and only allow encrypted connections to the online Service for the transfer of Customer Content.

1.2.9.Remote Access. Evisort will ensure that any access from outside of its protected corporate or production environments to a system or systems processing Customer Content or to Evisort’s corporate or development workstation networks will require appropriate connection controls, such as VPN or multi-factor authentication.

2. System Availability. Evisort will maintain (or, with respect to systems controlled by its subcontractors, ensure that such subcontractors maintain) a disaster recovery (“DR”) program designed to recover the Service’s availability following a disaster. At a minimum, such DR program will include the following elements: (a) routine validation of procedures to regularly and programmatically create retention copies of Customer Content for the purpose of recovering lost or corrupted data; (b) inventories, updated at minimum annually, that list all critical Evisort Information Systems; (c) annual review and update of the DR program; and (d) annual testing of the DR program designed to validate the DR procedures and recoverability of the service detailed there

3. Security Incidents.

3.1.   Procedure. If Evisort becomes aware of confirmed unauthorized or unlawful access to any Customer Content processed by Evisort Information Systems (a “Security Incident”), Evisort will promptly (a) notify Customer of the Security incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

3.2.   Unsuccessful Attempts. An unsuccessful attack or intrusion is not a Security Incident subject to this Section 3. An “unsuccessful attack or intrusion” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents.

3.3.   User Involvement. Unauthorized or unlawful access to Customer Content that results from the compromise of a User’s login credentials or from the intentional or inadvertent disclosure of Customer Content by a User is not a Security Incident.

3.4.   Notifications. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s Admin users by any reasonable means Evisort selects, including email, as time is typically of the essence. Customers are solely responsible for maintaining accurate contact information in the online Service at all times.

3.5.   Disclaimer. Evisort’s obligation to report or respond to a Security Incident under this Section 3 is not an acknowledgement by Evisort of any fault or liability of Evisort with respect to the Security Incident.

4. Auditing and Reporting.

4.1.   Monitoring. Evisort monitors the effectiveness of its information security program on an ongoing basis by conducting various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls.

4.2.   Audit Reports. Evisort uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Services provided under the Agreement. The resulting audit will: (a) include testing of the entire measurement period since the previous measurement period ended; (b) be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) be performed by independent third party security professionals at Evisort’s selection and expense; and (d) result in the generation of a SOC2 or SOC3 report (“Audit Report”), which will be Evisort’s Confidential Information. The Audit Report will be made available to Customer upon written request no more than annually, subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. Customer may also request a SOC 3 report, which, if available from Evisort, will not be subject to such confidentiality obligations but shall attest to the external auditor’s verification and findings. For the avoidance of doubt, each Audit Report will only discuss Services in existence at the time the Audit Report was issued; subsequently released Services, if within the scope of the Audit Report, will be in the next annual iteration of the Audit Report.  

4.3.   Penetration Testing. Evisort uses external security experts to conduct penetration testing of certain online Services, including the Services. Such testing will: (a) be performed at least annually; (b) be performed by independent third party security professionals at Evisort’s selection and expense; and (c) result in the generation of a penetration test report (“Pen Test Report”), which will be Evisort’s Confidential Information. Pen Test Summary Reports or attestation letters attesting to the same will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. 

4.4.   Worldwide Bug Bounty Program. Evisort shall maintain a bug bounty program to proactively detect bugs and vulnerabilities on a proactive basis. The program will operate such that external security experts shall have access to a production-like version of the software by which the Services are provided, with such experts incentivized and rewarded for finding vulnerabilities with monetary rewards. This program will be run on a continuous basis with rewards available at all time to the security experts participating in the program.

APPENDIX 3: STANDARD CONTRACTUAL CLAUSES

1. Application of Modules.  If Customer is acting as a Controller with respect to Customer Personal Data, “Module Two: Transfer controller to processor” of the Standard Contractual Clauses shall apply.  If Customer is acting as a Processor to a third-party Controller with respect to Customer Personal Data, Evisort is a sub-Processor and “Module Three: Transfer processor to processor” of the Standard Contractual Clauses shall apply.

2. Sections I-V.  The parties agree to the following selections in Sections I-IV the Standard Contractual Clauses: (a) the parties select Option 2 in Clause 9(a) and the specified time period shall be the notification time period set forth in Section 5 of the Addendum; (b) the optional language in Clause 11(a) is omitted; (c) the parties select Option 1 in Clause 17 and the governing law of the Netherlands will apply; and (d) in Clause 18(b), the parties select the courts of the Netherlands.

3. Annexes.  The name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Agreement and the Addendum shall be used to complete Annex I.A. of the Standard Contractual Clauses.  The information set forth in Appendix 1 to the Addendum shall be used to complete Annex I.B. of the Standard Contractual Clauses.  The competent supervisory authority in Annex I.C. of the Standard Contractual Clauses shall be the relevant supervisory authority determined by Clause 13 and the GDPR, unless otherwise set forth in Sections 4(a) or 6 of this Appendix 3.  If such determination is not clear, then the competent supervisory authority shall be the Dutch Data Protection Authority.  The technical and organizational measures in Annex II of the Standard Contractual Clauses shall be the measures set forth in Appendix 2 to the Addendum.

4. Supplemental Business-Related Clauses.  In accordance with Clause 2 of the Standard Contractual Clauses, the parties wish to supplement the Standard Contractual Clauses with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects.  Evisort and Customer therefore agree that the applicable terms of the Agreement and the Addendum shall apply if, and to the extent that, they are permitted under the Standard Contractual Clauses, including without limitation the following:

(a)   Instructions.  The instructions described in Clause 8.1 are set forth in Section 2.2 of the Addendum.

(b)   Protection of Confidentiality.  In the event a Data Subject requests a copy of the Standard Contractual Clauses or the Addendum under Clause 8.3, Customer shall make all redactions reasonably necessary to protect business secrets or other confidential information of Evisort.

(c)   Deletion or Return.  Deletion or return of Customer Personal Data by Evisort under the Standard Contractual Clauses shall be governed by Section 10 of the Addendum.  Certification of deletion of Customer Personal Data under Clause 8.5 or Clause 16(d) will be provided by Evisort upon the written request of Customer.

(d)   Onward Transfers.  Evisort shall be deemed in compliance with Clause 8.8 to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

(e)   Audits and Certifications.  Any information requests or audits provided for in Clause 8.9 shall be fulfilled in accordance with Section 8 of the Addendum.

(f) Liability.  The relevant terms of the Agreement which govern indemnification or limitation of liability shall apply to Evisort’s liability under Clauses 12(a), 12(d), and 12(f).

(g)   Termination.  The relevant terms of the Agreement which govern termination shall apply to a termination pursuant to Clauses 14(f) or 16.

5. Transfers from the United Kingdom.  If Customer transfers Customer Personal Data to Evisort that is subject to UK Data Protection Laws, the parties acknowledge and agree that: (a) the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it may be revised from time to time by the Information Commissioner’s Office (the “UK Addendum”) shall be incorporated by reference herein; (b) the UK Addendum shall apply to and modify the Standard Contractual Clauses solely to the extent that UK Data Protection Laws apply to Customer’s Processing when making the transfer; (c) the information required to be set forth in “Part 1: Tables” of the UK Addendum shall be completed using the information provided in this Appendix 3 and the Addendum; and (d) either party may end the UK Addendum in accordance with section 19 thereof.

6. Transfers from Switzerland.  If Customer transfers Customer Personal Data to Evisort that is subject to the Swiss FADP, the following modifications shall apply to the Standard Contractual Clauses to the extent that the Swiss FADP applies to Customer’s Processing when making that transfer: (a) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (b) the Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised Swiss FADP on or about 1 January 2023; (c) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the Swiss FADP; and (d) the parties agree that the supervisory authority as indicated in Annex I.C of the Standard Contractual Clauses shall be the Swiss Federal Data Protection and Information Commissioner.

Effective as of August 18, 2022. The previous version of the DPA can be found here.