DATA PROCESSING AGREEMENT
1. BACKGROUND AND details of the Personal Data processing
1.1 This DPA is between the Customer specified in the concluded Master Services Agreement (hereinafter referred to as“Controller”) and
1.2 The scope, as well as the extent and nature of the collection, processing and use of personal data under this DPA shall be further described in the applicable Agreement.
1.3 The term of this DPA corresponds to the duration of the Agreement and any post-termination obligations within the DPA and/or the Agreement. Despite any termination of this DPA, the regulations of this DPA concerning the protection of Personal Data shall remain in force as long as the Processor continues to process Personal Data on behalf of the Controller.
2. DEFINITIONS
In addition to the definitions set out in the applicable Agreement, the following definitions shall apply in this DPA:
Agreement: means any contract or agreement that the Processor has entered into with the Controller.
Business Purpose: means the use of Personal Data for the business’ operational purposes, or other notified purposes as set forth in the Agreement and in Attachment 1 to this DPA.
CA Personal Information: means, as defined in the CCPA, information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household, that may be (i) processed at any time by the Processor in anticipation of, in connection with or incidental to the performance of the Agreement or (ii) derived by the Processor from such information.
CCPA: means California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), Cal. Civ. Code § 1798.100 et seq., including its regulations and any amendments thereto.
Controller(s): means the customer under the Agreement (whether being a controller or processing another controller’s data which are then sub-processed by Processor).
Data Protection Laws: means any applicable data protection, privacy, or security laws or regulations, which include as applicable, but is not limited to: GDPR (as defined below), the EU e-Privacy Directive 2002/58/EC, each as implemented by countries within the European Economic Area, the UK Data Protection Act 2018, the UK Privacy and Electronic Communications (EC Directive) Regulations 2003, the UK GDPR (as defined below), CCPA, the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (“VCDPA”), Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Public Act No. 22-15 (“CTDPA”), Colorado Privacy Act Colo. Rev. Stat. § 6-1-1301 et seq. (“CPA”), the Canadian Federal Law Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (“PIPEDA”), the Personal Information Protection Law of China (“PIPL”) and other laws or regulations that are similar, equivalent to or that are intended to or implement the laws or regulations above.
DPA: means this Data Processing Agreement.
EEA: means the European Economic Area.
EU: means the European Union.
EU – U.S. DPF: means the EU-U.S. Data Privacy Framework as adopted by the European Commission’s adequacy decision on July 10, 2023 and as set forth by the U.S. Department of Commerce.
EU Standard Contractual Clauses: means the Standard Contractual Clauses, effective 27th June 2021, adopted by the EU Commission with EU Commission Implementing Decision 2021/914 of 4th June 2021 on Standard Contractual Clauses for the Transfer Of Personal Data to Third Countries pursuant to GDPRincorporated herein by referenceor (if applicable) (i) any future clauses issued by the EU for the transfer of Personal Data to non-EU (sub)processors, and replacing or modifying the clause in the wording as issued by the EU, or (ii) any other clauses mutually agreed upon by the parties.
UK Extension: means the UK Extension to the EU – U.S. DPF.
UK Standard Contractual Clauses: means where UK GDPR applies (i) Standard Data Protection Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 incorporated herein by reference; or (ii) any future clauses as may be published by the UK Information Commissioner or the UK Government under UK GDPR from time to time for use in relation to Restricted Transfers from a controller located in the UK (or from its own processor) to a processor (or sub-processor) located in a third country.
GDPR: means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
UK GDPR: means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and section 3 of the Data Protection Act 2018.
In writing: includes electronic text form such as email, pdf or fax.
Personal Data: means personal data as defined in the GDPR and CA Personal Information as defined in the CCPA and herein to the extent processed by the Processor in connection with the Agreement.
Process and/or Processing: means any operations or set of operations which is performed on Personal Data as defined in the GDPR, and including any additional instructions relating to the operations performed on Personal Data.
Processor: means the supplier providing the Services under the Agreement who Processes Personal Data.
Personal Data Breach: means a breach of security, confidentiality, or privacy of Personal Data leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
Sell: means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data by Processor to another business or a third party for monetary or other valuable consideration.
Share: means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data by Processor to a third party for cross-context behavioural advertising, whether or not for monetary or other valuable consideration, including transactions between a business and to third party for cross-context behavioural advertising for the benefit of a business in which no money is exchanged.
Services: means the services provided by the Processor to the Controller in accordance with the Agreement.
Sub-Processor: means any entity engaged by the Processor (or further Sub-Processor) to process Personal Data on behalf of Controller.
Any terms used in this DPA, which are defined in the GDPR and not otherwise defined in this DPA, shall have the meaning as set out in the GDPR.
3. INSTRUCTIONS FROM THE Controller(s)
3.1 The Processor shall process Personal Data only in accordance with instructions in writing from the Controller.
3.2 Additional instructions in writing may be issued by the Controller at any time.
3.3 The Processor shall inform the Controller immediately within seventy-two (72) hours if it considers an instruction to violate applicable data protection laws.
4. Obligations of the Processor
4.1 The Processor shall not process Personal Data for any purpose other than prescribed by the Agreement and to fulfil its obligations under the Agreement unless otherwise required by applicable law to which the Processor is subject.
4.2 The Processor agrees that the Controller discloses Personal Data to Processor solely (i) for the valid, limited and specified Business Purposes; and (ii) to allow the Processor to perform the Services. The Controller shall not provide the Processor with Personal Data, except as necessary for Processor to provide the Services.
4.3 Processor will not: (i) Sell or Share Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than providing the Services and for the Business Purposes, including retaining, using, or disclosing the Personal Data for a commercial purpose other than the Business Purposes; and (iii) retain, use, or disclose the Personal Data except as permitted in the Agreement between Processor and Controller or as otherwise permitted by applicable law. For the avoidance of doubt, Processor shall not retain, use, or disclose Personal Data outside of the direct business relationship between Controller and Processor. Processor shall not combine Personal Data which Processor receives pursuant to the Agreement and this DPA with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that Processor may combine personal information to perform any business purpose under applicable law.
4.4 Notwithstanding the foregoing, the Processor may retain, use, or disclose CA Personal Information obtained in the course of providing the Services: (1) to retain and employ another Service Provider as a Sub-Processor, where the Sub-Processor meets the requirements for a Service Provider under the CCPA; (2) for internal use by the Processor to build or improve the quality of its services it is providing to Controller, provided that Processor does not use CA Personal Information to perform services on behalf of another person; (3) to prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity; (4) to comply with federal, state, or local laws or comply with a court order or subpoena to provide information; (5) to comply with civil, criminal, or regulatory inquiry, investigation or summons by federal, state, or local authorities; (6) to cooperate with law enforcement agencies concerning conduct or activity that Processor reasonably and in good faith believes may violate federal, state, or local law; (7) to cooperate with a government agency request for emergency access to the individual’s CA Personal Information if a natural person is at risk of danger or death or serious physical injury, provided that (a) the request is approved by a high-ranking agency officer for emergency access to the individual’s CA Personal Information; (b) the request is based on the agency’s good faith determination that it has a lawful basis to access the information on a non-emergency basis; and (c) the agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted; (8) to exercise or defend legal claims; or (9) to the extent such information is Deidentified or Aggregated (as such term is defined in the CCPA).
4.5 Processor Personnel
4.5.1 The Processor’s personnel engaged in processing Personal Data under this DPA are to be bound to confidentiality and prohibited from processing any Personal Data without authorisation and prohibited from processing for any purposes other than fulfilling Processor’s contractual obligations vis-à-vis the Controller or any other Controller (as the case may be).
4.5.2 Upon the Controller’s request, the Processor shall provide the Controller with its standard form personnel data secrecy and confidentiality agreements or template language.
4.5.3 The Processor shall provide adequate data protection training, and ensure all individuals having access to Personal Data understand the data protection provisions and act in accordance with the data protection provisions relevant to their work.
4.6 Assistance to the Controller
The Processor shall, insofar as possible, assist the Controller (each individually or as a whole) in fulfilling their obligations under the GDPR and handling requests and claims. This especially applies with regard to:
4.6.1 the Controller’s obligation to comply with their obligations according to Articles 35 to 36 of the GDPR;
4.6.2 any request made by a supervisory authority against the Controller; and
4.6.3 with regard to any claim or any inspection or procedure that the Controller becomes subject to and that relates to the processing of Personal Data by the Processor.
4.7 The Processor shall notify the Controller, unless prohibited by applicable Member State or EU law on grounds of public interest, prior to processing Personal Data for legal obligations which are not prescribed by the Agreement.
4.8 The Processor shall inform the Controller to the extent permitted by law within seventy-two (72) hours of any inspections, investigation and/or measures conducted and/or any criminal, administrative or summary offence procedure by a competent authority and relating to Personal Data or regarding the processing of Personal Data in connection with the Agreement.
4.9 The Processor shall notify the Controller regarding all issues related to data privacy and data protection within the scope of the Agreement.
4.10 The Processor shall periodically monitor the internal processes, and the technical and organisational measures to ensure that processing within the Processor’s area of responsibility is in accordance with the applicable data protection laws.
4.11. The Processor shall notify the Controller if the Processor makes a determination that it can no longer meet its obligations under the CCPA.
5. Data Subject’s Rights
5.1 The Processor may not on its own authority correct, rectify, delete, remove, restrict, block or export any Personal Data without express authorisation in writing from the Controller.
5.2 The Processor shall enable the Controller to correct, rectify, delete, remove, restrict, block or export their Personal Data, or correct, rectify, delete, remove, restrict, block or export any Personal Data strictly in accordance with any instructions in writing provided by the Controller no longer than ten (10) days upon receiving those instructions. The Processor shall provide the Controller with written notification and explanation where the Processor requires additional time to provide assistance in relation to data subject’s rights.
5.3 If a data subject contacts the Processor directly with any enquiry or request, the Processor shall inform the Controller without undue delay, or at the latest within five (5) calendar days. Where the Processor fails to inform the Controller within five (5) calendar days upon receiving the direct enquiry or request from the data subject, the Processor shall provide the Controller with a written explanation. The Processor shall take reasonable measures to identify whether the enquiry or request relates to instructions provided by the Controller, including for the avoidance of doubt requesting further information from the data subject. The Processor shall insofar as possible support the Controller in dealing with such enquiries or requests.
5.4 The Processor shall reasonably cooperate with Controller where necessary to enable Controller to comply with a consumer request made pursuant to the Data Protection Laws relating to Personal Data.
6. Technical and Organisational Measures
6.1 The Processor shall implement and maintain the technical and organisational measures set out in Attachment 2 to this DPA.
6.2 The technical and organisational measures are subject to technical progress and further development. The Processor may amend the technical and organisational measures, provided that the new measures provide the same or higher level of security compared to the previous measures.
6.3 The Processor shall comply with the CCPA and provide the level of privacy protection for CA Personal Information as is required by the CCPA.
7. Communication in the Case of Personal Data Breaches
7.1 The Processor shall notify the Controller immediately and without undue delay, or at the latest within 72 hours, to the extent permitted by law of any incident resulting or highly likely to result in a Personal Data Breach of Personal Data processed upon establishing the occurrence of an incident.
7.3 The Processor shall send notifications about data breaches to the email addresses specified in the Agreement.
Such data breaches can also be reported via telephone.
7.4 The Controller may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of CA Personal Information.
7.5 The Controller may take reasonable and appropriate steps to ensure that the Processor uses CA Personal Information in a manner consistent with Controller’s obligations under the CCPA.
8. Location of PRocessing and INTERNATIONAL TRANSFERS
8.1 The Controller hereby authorizes the Processor to transfer Personal Data to its affiliates and to its sub-processors, some of which are outside of the originating country of the Personal Data and as such shall cross national borders to reach the Processing locations.
8.2 Each and every transfer of Personal Data shall only occur if the specific conditions of the Applicable Data Protection Law have been fulfilled. Personal Data may only be transferred to third countries, for which no adequacy decision in accordance with Art. 45 GDPR has been made, if such transfer can be legitimized by appropriate safeguards that are provided in accordance with Art. 46 GDPR, for example by agreeing on the relevant Standard Contractual Clauses first.
8.3. The Processor complies with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.
8.4. In case the Processor fails to re-certify for the EU-U.S. DPF or the EU-U.S. DPF or the UK Extension has been declared invalid, the Controller and Processor agree that any transfer of Personal Data will be processed in accordance with the relevant EU Standard Contractual Clauses or UK Standard Contractual Clauses. The Parties further agree to include the optional Clause 7 (Docking clause) to the EU Standard Contractual Clauses. The Parties also agree that the Data Importer has the Data Exporter’s general authorization for the engagement of sub-processor(s) from an agreed list. The Data Importer shall specifically inform the Data Exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the Data Exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The Data Importer shall provide the Data Exporter with the information necessary to enable the data exporter to exercise its right to object. With regards to clauses 8 to 18 of the EU Standard Contractual Clauses, where the Data Exporter acts as a controller and Data Importer acts as a processor, Module Two will apply, and where the Data Exporter acts as a processor and Data Importer acts as a sub-processor, Module Three will apply.
9. Sub-processing
9.1 The Controller consents to the Processor engaging the sub-processors listed in Attachment 3 to this DPA. The Processor shall specifically inform the Controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s).
9.2 Any sub-processor engaged by the Processor to process Personal Data pursuant to the Agreement, shall enter into written agreements with the Processor. The agreements must provide the same rights and obligations to the Controller as the DPA. Processor shall ensure that, upon the Controller’s request, any sub-processor is obliged to enter into any direct data processing agreement with the Controller insofar required by (i) mandatory data protection law in the Controller’s reasonable opinion, or (ii) a competent data protection or other competent authority. This in particular includes any actual or updated version of the EU or UK Standard Contractual Clauses.
10. Audit Rights
10.1 Audit
10.1.1 The Controller may conduct an audit, at its cost and on its own behalf and/or on behalf of other Beneficiaries, to verify the Processor’s compliance with its obligations under this DPA. Such audit may be conducted by the Controller or a third-party auditor. Processor shall reasonably cooperate and provide such documentation and access, insofar as possible, as required by the Controller to conduct the audit. For the avoidance of doubt, Processor shall in no event be obliged to provide any information related to Processor’s other customers.
10.1.2 The Controller shall provide reasonable advance written notice of at least fifteen (15) days, unless: (i) data protection law or a competent data protection authority requires an earlier audit, in which case the Processor will be given as much advance notice as possible; or (ii) the circumstances of a personal data breach require an earlier audit, in which case the Processor will be given reasonable advance notice. The Controller shall conduct the audit in an expeditious manner, within a reasonable time and in a way to not unreasonably disrupt Processor’s day-to-day business operations.
10.1.3 If an audit determines that the Processor has breached its obligations, the Processor will promptly remedy the breach.
10.1.4 The Processor shall support the Controller, insofar as possible, in any audit as requested by the Controller or applicable laws.
10.2 Evidence
10.2.1 Upon the Controller’s request, the Processor shall certify that it is in compliance with this DPA by providing adequate evidence in the form of (i) the results of a self-audit or a 3rd party assessment, (ii) internal company rules of conduct including external evidence of compliance, (iii) certificates on data protection and/or information security (e.g. ISO 27001), (iv) approved codes of conduct, or (v) other appropriate certificates.
10.2.2 Evidence of the implementation of measures which are not specific to this DPA may be given in the form of up-to-date attestations, reports or extracts thereof from independent bodies (e.g. external auditors, internal audit, the data protection officer, the IT security department or quality auditors) or suitable certification by way of an IT security or data protection audit.
11. Deletion of Personal Data UPON TERMINATION
11.1 Upon termination of the Agreement, the Processor shall enquire whether any or all Personal Data and all documents, processing and utilisation results, and data sets pursuant to the Agreement are to be returned to the Controller; upon confirmation, the Processor shall return all data specified to the Controller in a data-protection compliant manner. The Processor shall delete all data belonging to the Controller upon returning all data to the Controller per request, or immediately after the Controller has specified that the return of data is not required, in a data-protection compliant manner.
11.2 Documentation necessary to demonstrate compliance with this DPA shall be stored by the Processor beyond termination of the Agreement for the duration of the respective retention period as required by the Agreement or any applicable legal obligation under relevant laws or any industry standards applicable to the Processor.
12. Miscellaneous
12.1 In the event of any contradictions, the provisions of this DPA shall take precedence over the provisions of the Agreement.
- 12.2 Amendments or supplements to this DPA shall be made in writing and signed by both the Controller and the Processor.
12.3 Attachment 1, 2, 3, form an integral part of this DPA.
Attachment 1
BUSINESS PUPOSES. Categories of Data Subjects, Categories of Personal Data, and Purpose of Collection, Processing and Use of Personal Data
Attachment 1
Business Purposes:
Audit Services and Audit Management
- LIST OF PARTIES
Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. Name: as specified in the Agreement Address: as specified in the Agreement Contact person’s name, position and contact details: as specified in the Agreement Activities relevant to the data transferred under these Clauses: as specified in the Agreement Date: The Effective Date of the Agreement Role: Controller
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
1. Name:
Data subjects
The categories of data subjects affected depend on the Services provided by the Processor to which access is granted for the purpose of performance of the Services. Employees, applicants, customers, vendors and/or other business partners (including their employees) of the Controller and/or its affiliated companies may be affected.
Categories of data
The categories of Personal Data affected depend on the Services provided by the Processor to which access is granted for the purpose of performance of the Services.
The Personal Data may concern the following categories of data
- Identity Information
- Contact Information
- Location Information
- Purchase Information (including credit card information)
- Device Information
- Preference Information
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing on continuous basis throughout the duration of the Agreement.
Nature of the processing
The Processor carries out Services as described in the DPA and the Agreement, which may contain personal data controlled by the Controller or processed by the Controller for another processor.
Only data that
Processing operations
The Processor carries out Services as described in the DPA and the Agreement, which may contain personal data controlled by the Controller or processed by the Controller for another processor.
The Processor will process Personal Data for the purpose of and to the extent necessary for the performance of the Services under the Agreement only and will be subject to the following basic processing activities set out in the Agreement for the performance of services:
- Storage and other processing necessary to provide, maintain, and improve the Services provided by the Processor under the Agreement;
- To provide customer and technical support to the Controller; and
- Disclosures in accordance with the Agreement, as required by law.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
All electronic data is retained per governing body guidelines. All data will be cleared from
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
All electronic data is retained per governing body guidelines. All data will be cleared from
Attachment 2
Technical and organisational measures
Processor’s administrative, physical, organisational and technical measures shall include, at a minimum, the following:
A. Physical Access Control – measures to prevent unauthorised access to data processing facilities, such as measures to ensure physical security, including access cards, zoning, escorting of visitors, wearing of passes, locked doors, electronic door openers, warning procedures in case of intrusion, security services and/or entrance security staff, video surveillance (e.g. CCTV) or alarms.
B. Electronic Access Control – measures to prevent unauthorised use of the data processing and data storage system, such as password protection for computer systems, password procedures (e.g. special characters, min. length, etc.), automatic blocking/locking mechanisms (i.e. limitation of the number of access attempts to an account), encryption of data at rest (i.e. measures to make personal data unintelligible to anyone without access authorization; encryption keys are managed; encryption of data carriers/storage media; anonymization; hardware security, i.e. measures to ensure physical security of servers and workstations, including secure storage, security cables, confidentiality filters, secure erasure prior to scrapping
C. Internal Access Control – measures to prevent unauthorised reading, copying, changes or deletions of data within the system and measures regulating user rights of access to and amendment of data, such as access to data and files accorded only to those who need to know; authorisation rights including access rights (profiles, roles, transactions and objects); logging of system access events, Use of secure storage solutions; archiving, i.e. measures with regard to specific access methods to archived data; paper document security, i.e. measures to secure, store, destroy paper documents containing personal data.
D. Organizational Control – technical and organisational measures for ensuring that, by default, only personal data which are necessary are processed in a legitimate way, such as appointment of a person or group of people responsible for data protection laws and regulations (e.g. data protection officer); data protection guidance; privacy friendly service settings as default; privacy by design, i.e. measures to ensure that processing of personal data privacy is built in to a system during the whole life cycle of that system or process; minimizing the processing of personal data, i.e. other measures to filter, remove, reduce, convert or restrict data; Data Protection Impact Assessment; security breach policy and procedure; training and awareness, i.e. personnel has to undergo a privacy training and/or other measures to increase awareness of staff with regard to privacy; supervision, ensuring the protection of data is properly overseen; measures to ensure that the controller is able to review the documentation of all essential processing steps of the data processing systems, and trace whether controller data have only been processed in compliance with the instructions of the controller such as documentation of processing activities, reports or extracts of reports from independent bodies or certification by IT security or data protection audit, etc.
E. Data Transfer Control – measures to prevent unauthorised reading, copying, changes or deletions of data with electronic transfer or transport, such as encryption for data in transit; use of VPNs/tunneling; electronic signatures; transportation security of physical data carriers;
F. Data Entry Control – measures for the verification, whether and by whom personal data is entered into a data processing system, is changed or deleted, logging, document management.
G. Order or Agreement Control – measures to prevent third party data processing other than upon instruction from the controller, such as clear and unambiguous contractual arrangements in line with GDPR requirements; confidentiality clauses; monitoring of the information security performance of third parties;
H. Availability Control – measures to prevent accidental or willful destruction or loss; backup strategy and procedures; remote storage; anti-virus/firewall systems; business continuity plans; reporting procedures and contingency planning; measures on workstations to reduce the possibility to exploit software properties to adversely affect personal data; measures implemented to secure websites; measures to ensure network security, including firewalls, system intrusion detection systems or other active or passive measures; measures to detect and prevent intrusions, to analyze network traffic in real time and detect any suspicious activity suggestive of a cyberattack scenario, securing mobile data processing such as organize encryption measures for mobile equipment, undertake regular data backups and synchronizations and require a confidential piece of information to unlock smartphones; protection against environmental risks, i.e. measures to protect personal data against environmental disasters;
I. Rapid Recovery – measures to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; backup strategy and procedures; business continuity plans; reporting procedures and contingency planning
J. Procedures for Regular Testing, Assessment and Evaluation of the Effectiveness of Technical and Organisational Measures for Ensuring the Security of Personal Data – appropriate certification with regard to IT security; Regular stress tests; Security incident response strategy and regular testing thereof.
K. Physical location of data centres
Please insert a list of all data centres (town and country) where Controller’s corporate data will be processed or hosted. Note: Please describe for each data centre location which legal entity or sub-processor (full name and address) is operating the data centre.
| Full legal name | Address (with country) |
| GCP | USA, A-LIGN |
Attachment 3
List of APPROVED Sub-Processors
The Controller agrees to the Processor engaging the following sub-processors with actual or potential access to Personal Data as specified in the DPA:
| Subprocessor (full legal name) | Address/country | Description of services provided by the subprocessors |
| Microsoft Corporation (Microsoft 365) | USA | Use of Office 365 for email, chat, OneDrive for Business and office suite products. Use of AzureAD for internal policy control for systematic enforcement of Username/Password requirements, System configuration standards, and MDM. |
| Salesforce, Inc. | USA | Use of Salesforce for CRM for standard marketing and sales process automation and systematic control as well as organizational data analytics. |
| Certinia (formerly Financial Force) | USA | Use for project management, ERP, business automation and data analytics. |
| Google Cloud Platform | USA | Cloud hosting provider for proprietary compliance management tool |
| Amazon Web Services | USA | AWS Hosting of Provider proprietary engagement tools |
| Merge API, Inc. | USA | Integrating to HRIS, Directory Services, and Ticketing Systems |