PERSONAL DATA PROCESSING AGREEMENT FOR SERVICES
This Personal Data Processing Agreement (“DPA”) for Einblick Analytics, Inc. (“Einblick”) forms a part of the services agreement or other written agreement between Einblick and Customer (“Agreement”) regarding Einblick’s subscriptions and/or services provided by Einblick and ordered by Customer (the “Service”) in accordance with the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
This DPA is an addendum to and forms a part of the Agreement. If any terms of this DPA are inconsistent with the terms of the Agreement, including the exhibits thereto, then the terms of this DPA shall prevail.
DATA PROCESSING TERMS
This DPA applies to Personal Data provided by Customer and each Data Controller in connection with their use of the Service. It states the technical and organizational measures Einblick uses to protect Personal Data that is stored in the production system/technical instance of the Service.
1.2 Application of the Standard Contractual Clauses Document.
If processing of Personal Data involves an International Transfer, the Standard Contractual Clauses apply as stated in Section 5 and are incorporated by reference.
Except as provided in Section 5.2, Customer is solely responsible for administration of all requests from other Data Controllers. Customer will bind any other Data Controller it permits to use the Service to the terms of this DPA.
Customer and its Data Controllers, as applicable, determine the purposes of collecting and processing Personal Data in the Service. Appendix 1 states the details of the processing Einblick will provide via the Service under the Agreement. Appendix 2 states the technical and organizational measures Einblick applies to the Service, unless the Agreement states otherwise.
3. EINBLICK OBLIGATIONS
3.1 Instructions from Customer.
Einblick will follow instructions received from Customer (on its own behalf or on behalf of its Data Controllers) with respect to Personal Data, unless they are (i) legally prohibited or (ii) require material changes to the Service. In the event and to the extent the functionality of the Service does not allow Customer, its Data Controllers or authorized users to do so, Einblick may correct, block or remove any Personal Data in accordance with Customer’s instruction. If Einblick cannot comply with an instruction, it will notify Customer (email permitted) without undue delay.
3.2 Data Secrecy.
To process Personal Data, Einblick and its Subprocessors will only use personnel who are bound to observe data and telecommunications secrecy under the Data Protection Law. Einblick and its Subprocessors will regularly train individuals having access to Personal Data in data security and data privacy measures.
3.3 Technical and Organizational Measures.
(a) Einblick will use the appropriate technical and organizational measures to protect all Personal Data.
(b) Einblick provides the Service to Einblick’s entire customer base hosted out of the same Data Center(s) receiving the same Service. Customer agrees Einblick may improve the measures used in protecting Personal Data so long as it does not diminish the level of data protection.
3.4 Security Breach Notification.
Einblick shall notify Customer without undue delay but in no event later than seventy-two (72) hours of its discovery of a Security Breach.
At Customer’s request, Einblick will reasonably support Customer or any Data Controller in dealing with requests from Data Subjects or regulatory authorities regarding Einblick’s processing of Personal Data.
3.6 Return or Deletion of Personal Data
Upon termination of the Agreement for whatever reason, and upon Customer’s written request made within thirty (30) days after such termination, Einblick will (as applicable) return to Customer or destroy all Personal Data. After such 30-day period, Einblick will destroy such Personal Data.
4.1 Permitted Use.
(a) Customer and Data Controllers authorize Einblick to subcontract the processing of Personal Data to Subprocessors, including those Subprocessors listed at www.einblick.ai/subprocessors (“Subprocessor List”). Einblick is responsible for any breaches of the Agreement caused by its Subprocessors.
(b) Subprocessors will have the same obligations in relation to Einblick as Einblick does as a Data Processor (or Subprocessor) with regard to their processing of Personal Data.
(c) Einblick will evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection. Subprocessors may have security certifications that evidence their use of appropriate security measures. If not, Einblick will regularly evaluate each Subprocessor’s security practices as they relate to data handling.
4.2 New Subprocessors.
Einblick’s use of Subprocessors is at its discretion, provided that:
(a) Einblick will update the Subprocessor List at least thirty (30) days or in advance of any changes to the Subprocessors List in place on the Effective Date (except for Emergency Replacements or deletions of Subprocessors without replacement) and provide Customer with notice of such update. Such notice will be sent to individuals who have signed up to receive updates to the Subprocessor List via the mechanism(s) indicated on the Subprocessor List.
(b) If Customer has a legitimate reason that relates to the Subprocessors’ processing of Personal Data, Customer may object to Einblick’s use of a Subprocessor, by notifying Einblick in writing within thirty days after receipt of Einblick’s notice. If Customer objects to the use of the Subprocessor, the parties will come together in good faith to discuss a resolution. Einblick may choose to: (i) not use the Subprocessor or (ii) take the corrective steps requested by Customer in its objection and use the Subprocessor. If none of these options are reasonably possible and Customer continues to object for a legitimate reason, either party may terminate the Agreement on thirty days’ written notice. If Customer does not object within thirty days of receipt of the notice, Customer is deemed to have accepted the new Subprocessor.
(c) If Customer’s objection remains unresolved sixty days after it was raised, and Einblick has not received any notice of termination, Customer is deemed to accept the Subprocessor.
4.3 Emergency Replacement.
Einblick may change a Subprocessor where the reason for the change is outside of Einblick’s reasonable control. In this case, Einblick will inform Customer of the replacement Subprocessor as soon as possible. Customer retains its right to object to a replacement Subprocessor under Section 4.2(b).
5. INTERNATIONAL TRANSFERS
5.1 Limitations on International Transfer.
Personal Data from an EEA or Swiss Data Controller(s) may only be exported to or accessed by Einblick or its Subprocessors outside the EEA or Switzerland (“International Transfer”):
(a) If the recipient, or the country or territory in which it processes or accesses Personal Data, ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data as determined by the European Commission; or
(b) in accordance with Section 5.2.
5.2 Standard Contractual Clauses and Multi-tier Framework.
(a) The Standard Contractual Clauses apply where there is an International Transfer to a country that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data as determined by the European Commission.
(b) For Third Country Subprocessors, Einblick shall ensure that such Subprocessor: (1) participates in the EU-US and Swiss-U.S. Privacy Shield Frameworks as designed by the US Department of Commerce and approved by the European Commission and Swiss Administration (respectively) as having adequate protection under the Directive and the Swiss 235.1 Federal Act of 19 June 1992 on Data Protection (respectively), or (2) has entered into the unchanged version of the Standard Contractual Clauses prior to the Subprocessor’s processing of Personal Data. If applicable, Customer hereby (itself as well as on behalf of each Data Controller) accedes to the Standard Contractual Clauses between Einblick and the Third Country Subprocessor. Einblick will enforce the Privacy Shield program requirements or the Standard Contractual Clauses, as applicable) against the Subprocessor on behalf of the Data Controller if a direct enforcement right is not available under Data Protection Law.
(c) Nothing in this DPA will be construed to prevail over any conflicting clause of the Standard Contractual Clauses.
6.1 “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
6.2 “Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
6.3 “Data Protection Law” means the applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data under the Agreement.
6.4 “Data Subject” means an identified or identifiable natural person.
6.5 “EEA” means the European Economic Area, namely the European Union Member States along with Iceland, Lichtenstein and Norway.
6.6 “Personal Data” means any information relating to a Data Subject. For the purposes of this DPA, it includes only personal data entered into by or on behalf of Customer or its authorized users of the Service or derived from their use of the Service. It also includes personal data supplied to or accessed by Einblick or its Subprocessors in order to provide support under the Agreement. Personal Data is a sub- set of Customer Data.
6.7 “Security Breach” means a confirmed accidental or unlawful destruction, loss, alteration, or disclosure that results in the compromise of the integrity and/or confidentiality of Personal Data.
6.8 “Standard Contractual Clauses” or sometimes also referred to the “EU Model Clauses” means the (Standard Contractual Clauses (processors)) or any subsequent version thereof released by the Commission (which will automatically apply). The current Standard Contractual Clauses are located at http://ec.europa.eu/justice/data-protection/international- transfers/files/clauses_for_personal_data_transfer_processors_c2010-593.doc.
They include Appendices 1 and 2 attached to this DPA.
6.9 “Subprocessor” means Einblick Affiliates and third parties engaged by Einblick or Einblick’s Affiliates to process Personal Data.
6.10 “Territory” means the geography where Einblick hosts Personal Data in the Service which is the United States.
6.11 “Third Country Subprocessor” means any Subprocessor incorporated outside the EEA and outside any country for which the European Commission has published an adequacy decision as published at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.
Appendix 1 – Details of Data Processing
Appendix 2 – Technical and Organizational Measures
Details of Data Processing
The Data Exporter subscribed to a Service that allows authorized users to enter, amend, use, delete or otherwise process Personal Data.
Einblick and its Subprocessors provide the Service that includes the following support:
• Monitoring the Service
• Release and development of fixes and upgrades to the Service
• Monitoring, troubleshooting and administering the underlying Service infrastructure
• Security monitoring, network-based intrusion detection support, penetration testing
Einblick Affiliates provide support when a Customer submits a support ticket because the Service is not available or not working as expected for some or all authorized users. Einblick responds via email and performs basic troubleshooting, and handles support tickets in a tracking system that is separate from the technical instance of the Service.
Unless provided otherwise by the Data Exporter, transferred Personal Data relates to the following categories of data subjects: employees, contractors, business partners or other individuals having been granted access credentials to the Service.
The transferred Personal Data submitted into the Service may concern the following categories of data: Customer, in its sole discretion and control, determines the categories of Personal Data in accordance with the Service component(s) ordered under the Agreement. Customer can configure the data fields during implementation of the Service or as otherwise provided by the Service, subject to the functionality of the related Service component(s). The transferred Personal Data submitted into the Service may include, but is not limited to the following categories of data:
• Data subject profile data (data subject name, contact information, job title)
• Connection data
• Email and IP address
• Any personal data uploaded by Customer processed by Einblick to provide Services
Special Data Categories (if appropriate)
The transferred Personal Data concerns the following special categories of data:
Subject to any applicable restrictions and/or conditions in the Agreement and this DPA, Customer may include ‘special categories of personal data’ or similarly sensitive personal data (as described or defined in Applicable Data Protection Laws) in Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person’s sex life or sexual orientation.
The transferred Personal Data is subject to the following basic processing activities:
• use of Personal Data to set up, operate, monitor and provide the Service (including Operational and Technical Support)
• communication to authorized users
• upload any fixes or upgrades to the Service
• execution of instructions of Customer in accordance with the Agreement
Technical and Organizational Measures
The following sections define the Einblick’s current technical and organizational security measures. Einblick may change these at any time without notice so long as it maintains a comparable or better level of security. This may mean that individual measures are replaced by new measures that serve the same purpose without diminishing the security level.
|Control||Data Importer's Response|
|Physical access control||Description of measures to prevent unauthorised third parties from accessing data processing systems (DP systems) that allow the processing or use of personal data.||Einblick does not maintain physical offices or infrastructure. Einblick depends on Amazon Web Services (AWS) for data processing. AWS maintains a high standard of security for its infrastructure and details can be seen in detail https://aws.amazon.com/compliance/data-center/controls/|
|Access control||Description of measures to prevent unauthorised third parties from using data processing systems that allow the processing or use of personal data.||Systems containing personal data are protected by user-id and passwords requiring multi-factor authentication|
|User access control||Description of measures to prevent persons from accessing data that is not considered mandatory in order to fulfil their tasks.||Access to systems are granted on a need-to-know basis in accordance with Data Importer's access policies. Access to systems is also promptly terminated in accordance with such polices.|
|Transmission control||Description of measures to prevent unauthorised third parties from accessing personal data during transmission and/or transport.||Personal data is only transmitted electronically and over secured internet or network protocol, encrypted.|
|Entry control||Description of measures to ensure consistent tracking if personal data has been entered, amended or removed from data processing systems and by whom.||Information transmitted through systems are logged, tracked, and cross-referenced with account of Data Exporter.|
|Order control||Description of measures to ensure that personal data can only be processed in accordance with the instructions issued by the client.||Data Importer is contractually bound to use any personal data only in accordance with the terms of the Agreement between Data Importer and Data Exporter.|
|Availability control||Description of measures to protect personal data against accidental destruction or loss.||Data is backed up to multiple durable data stores and reciprocated across multiple availability zones in a fault-tolerant, AWS data centers, with no single point of failure|
|Separation rule||Description of measures to ensure separate processing of different data sets.||Information transmitted through systems are logged, tracked, and cross-referenced with account of Data Exporter|