This Data Processing addendum (“DPA”) is entered into between you, on behalf of you and your Affiliates, and us, on behalf of us and our Affiliates and forms part of the SaaS Terms (the “Agreement”) to reflect our joint approach to the processing of Personal Data in accordance with the requirements of Data Protection Laws (defined below). Capitalized or other defined terms not described in this DPA have the meaning given to them in the Agreement.
DATA PROCESSING TERMS
We may process Customer Personal Data in compliance with this DPA on your behalf when we provide Services to you.
1. DEFINITIONS:
1.1 For the purposes of this DPA:
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Customer Personal Data” means any Personal Data processed by you as a Controller, or, as the case may be (and as per Section 3.1. below), as a Processor as per Annex 1 to Appendix C.
“Data Subject” means the individual to whom Personal Data relates.
“Data Protection Laws” means all applicable laws and regulations, including but not limited to, European data protection legislation, UK data protection legislation, California Consumer Privacy Act, 2018 (“CCPA”), California Privacy Rights Act, 2020 (“CPRA”), and Privacy Act 1988 (Cth), as may be relevant to the processing of Personal Data under the Agreement.
“EU SCCs” means as applicable, the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914.
“GDPR” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any local laws implementing or supplementing the GDPR.
“Personal Data” means any data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processor” means an entity which processes Personal Data on behalf of the Controller.
“Protected Information” means and includes (i) national, social security or taxpayer identification number or other government issued identification numbers, date of birth and/or gender; (ii) the racial or ethnic origin of Data Subject; (iii) any proceedings for any offence committed or alleged to have been committed by Data Subject, the disposal of such proceedings or the sentence of any court in such proceedings; (iv) Data Subject’s political opinions, religious beliefs or other beliefs of a similar nature; (v) Data Subject’s health or medical information; (vi) Data Subject’s sexual life; (vii) the commission or alleged commission by Data Subject of any offense; (viii) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; or (ix) other information that a reasonable person would recognize as being highly sensitive (but excluding, for avoidance of doubt, contact information such as name, title, company name, mailing address, email address, and phone number).
“Security Incident” means accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access, or use.
“Sub-Processor” means any person appointed by or on behalf of the Processor, or by or on behalf of an existing Sub-processor, to process Personal Data on behalf of Controller.
2. APPLICABILITY OF DPA:
This DPA shall apply only to the extent that we process Customer Personal Data as a Processor while providing Services to you, and such Customer Personal Data is subject to relevant Data Protection Laws.
3. ROLES AND RESPONSIBILITIES:
3.1 Parties’ Roles:
You, as Controller, appoint us as a Processor to process Customer Personal Data. In some circumstances you may be a Processor, in which case you appoint us as your Sub-Processor, which shall not change the obligations of either party under this DPA, as we will remain a Processor with respect to you in such event. However, you shall notify and keep us updated on whether we act, in relation to specific processing activities, as a Processor or a Sub-Processor, and if the latter is the case, on the identity of the actual Controller.
3.2 Purpose Limitation:
a) We shall process Customer Personal Data for the purposes of the Agreement and only on your lawful, documented instructions (including, transfer of Customer Personal Data to a third country), unless we are required to process Customer Personal Data by the relevant Data Protection Laws to which we are subject to (in such a case, we shall inform you of that legal requirement before processing, unless applicable law prohibits us from doing so). Your instructions may be specific or of a general nature as set out in this DPA or as otherwise notified by you to us from time to time. We may refrain from execution of your instructions if we notify you immediately that, in our opinion, your instruction for the processing of Customer Personal Data infringes Data Protection Laws. The purpose of this Section 3.2. is only to determine the scope and the purposes of our processing of Customer Personal Data as more particularly detailed in Appendix A, and nothing in this DPA will be deemed an obligation on us to accept any of your instructions other than that provided under the Agreement.
b) You acknowledge and agree that your use of the Services does not require you to provide any Protected Information to or through the Services and we shall have no liability to you or your representatives, users or any other party related to any such Protected Information. You shall not (and shall ensure that your representatives and Authorized Users do not) upload, provide or submit any Protected Information to the Services. We may, upon notice, suspend all or portion of your or your Authorized Users’ access to the Services if we have a good faith belief that you or your Authorized Users have breached the purpose restrictions in this Section 3.2.
3.3 Training:
We shall ensure that our relevant employees, agents, and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection, and confidentiality of Customer Personal Data.
3.4 Compliance:
You, irrespective of your role as a Controller or a Processor, shall be responsible for ensuring that, in connection with Customer Personal Data and Services:
(a) you have complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Data Protection Laws; and
(b) you have, and will continue to have, the right to transfer, or provide access to us, Customer Personal Data for processing in accordance with the terms of the Agreement and this DPA.
3.5 If you use the Services to process any categories of Personal Data not expressly covered by this DPA, you act at your own risk, and we shall not be responsible for any potential compliance deficits related to such use.
3.6 You, as a Controller, shall obtain and maintain any required consents and approvals necessary to permit the processing of Customer Personal Data including the transfer of Customer Personal Data outside of the country of origin under this Agreement.
3.7 Our employees’/contractors’ Personal Data:
Where we disclose the Personal Data of our employees/contractors to you or our employees/contractors provide Personal Data directly to you, which you process to manage your use of Services, you shall process that Personal Data in accordance with your privacy policies and Data Protection Laws. We shall make such disclosures only where lawful for the purposes of contract management, service management, or for security purposes.
4. SECURITY:
4.1 Security:
We shall implement appropriate technical and organizational measures designed to protect Customer Personal Data from a Security Incident and in accordance with our security standards set out in the Agreement, as more particularly described in Appendix B. We will also, subject to the nature of processing and the information available to us, assist you in ensuring your compliance with the obligations under Data Protection Laws.
4.2 Confidentiality of Processing:
We shall ensure that any person that is authorized by us to process Customer Personal Data (including its staff, agents, and subcontractors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.
4.3 Security Incidents:
Upon becoming aware of a confirmed Security Incident, we shall notify you within seventy-two (72) hours from the time of establishing a material impact to you. We will take steps to identify and remediate the cause of such Security Incident and to minimize its possible harm. For the avoidance of doubt, Security Incidents will not include unsuccessful attempts to, or activities that do not, compromise the security of Customer Personal Data including, without limitation, unsuccessful log in attempts, denial of service attacks and other attacks on firewalls or networked systems.
5. ONWARD TRANSFERS; SUB-PROCESSING:
5.1 We will follow the appropriate transfer mechanisms for the onward transfer of Customer Personal Data under this DPA.
5.2 We will make available the transfer mechanisms listed below which shall apply to any transfers of Customer Personal Data under this DPA from the European Union, the European Economic Area, and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of European data protection laws. The transfer mechanisms are:
5.2.1 EU SCCs requirements as completed in Appendix C.
5.2.2 International Data Transfer Addendum to the EU Commission Standard Contractual Clauses requirements as completed in Appendix C.
5.3 In the event that EU authorities or courts determine that the transfer mechanisms listed above are no longer an appropriate basis for transfers, the parties shall promptly take all steps reasonably necessary to demonstrate adequate protection for Customer Personal Data, using another approved mechanism. We understand and agree that you may terminate the transfers as needed to comply with the European data protection laws. In the event the EU SCCs (or any other approved mechanism allowing for Personal Data transfers outside of EEA) are applicable, nothing in this DPA modifies or affects any supervisory authority’s or Data Subject’s rights under the EU SCCs (or any such other approved mechanism).
5.4 You agree that we may engage our Affiliates and third parties as Sub-Processors to process Customer Personal Data on our behalf. The list of Sub-Processors that are currently engaged by us to carry out specific processing activities is attached as Appendix D (“Sub-Processor List”). Should we update the Sub-Processor List, we shall notify you and give you the opportunity to object to such Sub-Processors or changes concerning the addition or replacement thereof.
5.5 Notwithstanding the other provisions in this Section 5, we may add or replace a Sub-Processor immediately if it is necessary to ensure business continuity and recovery in case of emergency, except as prohibited by Data Protection Laws.
5.6 We shall impose on all Sub-Processors data protection terms that protect Customer Personal Data to the same standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-Processor. Where the EU SCCs are applicable, we shall enter into the EU SCCs with such Sub-Processor or use/take advantage of any other approved mechanism, including binding corporate rules (BCRs) or an alternative recognized compliance standard for the lawful transfer of Customer Personal Data outside the EEA.
5.7 For the legitimate transfer of Customer Personal Data outside of the country of origin (other than those mentioned in Section 5.2), we will employ an approved mechanism or alternatively recognized compliance standard.
6. COOPERATION:
6.1 Data Subjects’ Rights:
We shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practicable, to enable you to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under applicable Data Protection Laws, including rights of access, correction, restriction, objection, erasure, or data portability, as applicable. In the event such inquiry, communication or request is made directly to us, we shall promptly inform you by providing the full details of the request. For the avoidance of doubt, you will remain responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure, or data portability of that Data Subject’s Personal Data. We will be responsible for responding to Data Subject’s request for access, correction, restriction, objection, erasure or data portability or any other request from a Data Subject seeking to exercise his or her rights under applicable Data Protection Laws to the extent you do not have the ability, with the available standard functionalities of the Services, to respond to such request. We reserve the right to claim reimbursement from you for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance provided to you.
6.2 Data Protection Impact Assessments and Prior Consultation:
We shall, to the extent required by Data Protection Laws, provide you with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that you are required to carry out under relevant Data Protection Laws.
7. SECURITY REPORTS AND AUDITS:
7.1 Provision of security certificates (such as an ISO 27001 certificate) or the conduct of audits shall take place in accordance with the Agreement. Unless otherwise agreed, we shall provide a copy of our most current security attestation report upon your written request no more than once annually.
7.2 We will allow for and contribute to audits, including inspections, conducted by you in accordance with the Agreement. Unless otherwise agreed, the parties will decide in advance on a reasonable start date, duration, and scope of audit, together with applicable security and confidentiality controls; and we reserve the right to charge a reasonable fee (based on our reasonable costs) for any such audit. We will notify you in advance of any applicable fee and the basis of its calculation. The purpose of any audit pursuant to this provision will be strictly limited to verifying whether we are processing Customer Personal Data in accordance with our obligations in this DPA and Data Protection Laws.
7.3 We will, in any event, and subject to confidentiality arrangements that will satisfy both parties, make available to you all information held by us necessary to demonstrate our compliance as a Processor with this DPA and Data Protection Laws. If you wish to receive such information, you shall submit a request in writing and subject to requested information being in our possession, we undertake to supply it to you as soon as reasonably practicable.
8. DELETION OR RETURN OF CUSTOMER PERSONAL DATA:
8.1 Within 30 days of termination or expiration of the Agreement, we shall, in accordance with the terms of the Agreement, delete or make available to you for retrieval all relevant Customer Personal Data (including copies) in our possession, save to the extent that we are required by any applicable law or a governmental or regulatory order to retain some or all of the Customer Personal Data. In such event, we shall extend the protection of the Agreement to such retained Customer Personal Data and limit any further processing of it to only those purposes that are required for its retention for the time that we are required to retain it.
9. MISCELLANEOUS:
9.1 In the event that we, any of our Sub-Processors, or you receive any regulatory request, order, or other binding decision or recommendation from the competent authority that requires amendments to the provisions of the Agreement or any changes to the processing of Customer Personal Data (“Regulatory Request“), we and you as well as, to the extent necessary and/or reasonably practicable, representatives of the relevant Sub-Processor, shall, within a reasonable time after receiving and reviewing the Regulatory Request, discuss and work in good faith towards agreeing on a plan (“Compliance Review Plan”) to determine how to reasonably address the Regulatory Request. A timeframe for reviewing the Regulatory Request and preparing the Compliance Review Plan will be agreed between the parties, taking into account the requirements of Data Protection Laws and the expressed urgency of the matter. The parties undertake to use their commercially reasonable endeavors to meet any specific time frames set in connection to a Regulatory Request. If we, any of our Sub-Processors, or you believe that it is not possible to meet a specific time frame set by the relevant authority in connection with the Regulatory Request, we and/or our Sub-Processor will assist you in explaining the delay to the relevant authority.
9.2 If there is a conflict between the Agreement and this DPA, the terms of this DPA will prevail.
9.3 Any claims brought under this DPA shall be subject to the terms, exclusions, and limitations in the Agreement.
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Appendix A includes certain details with respect to the processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Customer Personal Data:
The subject matter and duration of the processing of Customer Personal Data are set out in the Agreement.
The nature and purpose of the processing of Customer Personal Data:
Data Importer processes personal data for providing agreed business outcomes and services to the Data Exporter through its Contract Lifecycle Management Software (“Sirion Application”). Data Importer will include collection, storage, input and output and interpretation as processing activities.
The types of Customer Personal Data to be processed:
Data Importer processes full name and business email ID. Occasionally, there may be other contact information such as designation, full name, company name, and email ID contained within the contracts uploaded on the Services.
Protection Information to be Processed:
No Protected Information will be processed under the Agreement.
The categories of Data Subjects to whom the Customer Personal Data relates:
Categories of Data Subjects will include individuals requiring access to Sirion Application and Customer Data such as employees, suppliers, customers, etc.
The obligations and rights of Customer:
The obligations and rights of Customer are set out in the Agreement and this DPA.
Frequency of Transfers of Customer Personal Data:
Regularly during the term of the Agreement.
Retention Period for Customer Personal Data:
As per the terms of the Agreement.
TECHNICAL AND ORGANIZATIONAL MEASURES
The technical and organizational measures are implemented by us in accordance with Article 32 of GDPR and other similar data privacy regulations. They are continuously improved by us with the aim of attaining a higher level of security and protection. In particular, the aim is to secure greater confidentiality, integrity and availability of the information processed in the Agreement.
1. Physical and environment security
The Sirion Application (defined in Appendix A) is a SaaS based application hosted by a cloud service provider. All Customer Data is stored and processed in a customer specific Sirion Application instance in the cloud service. As part of a shared responsibility model, we ensure security of the software, Customer Data, and related accesses while the cloud service provider maintains physical security of the underlying infrastructure, facility/ data center, environment, etc., that supports the Sirion Application. Cloud service provider ensures compliance and incorporates data centers physical protection against environmental risks, and these are validated by independent auditors. We maintain oversight over the physical security controls operated by the cloud service provider by assessing the independent audit reports and certificates like SOC 1, SOC 2 report, and ISO 27001 certificate, published at regular intervals.
2. Access control to data processing systems
We have implemented the following measures to prevent access to data processing systems by unauthorized persons, such as:
3. Encryption
We encrypt all Customer Data at rest and in transit. Data at rest encryption is achieved by encrypting storage in all the servers hosting the Sirion Application with AES 256-bit encryption and data in transit is encrypted using HTTPS (TLS 1.2).
4. Availability control and resilience
We have implemented the following measures to protect Personal Data from destruction or loss and to ensure a rapid restoration of the operating condition:
5. Data Minimization and Retention
We limit the collection of Personal Data to what is directly relevant and necessary to accomplish a specified purpose or to deliver the Services. We retain data only for as long as is necessary taking into account the ongoing validity of the purposes or services for which Personal Data is processed.
The retention period shall be determined by the contractual obligations as directed by the Controller. Post the termination of the Agreement, Personal Data processed by a processor on behalf of a Controller will be retained typically for a period of 30 days.
6. Incident Management
We have implemented a suitable system for the management of Security Incidents, which also handles privacy/data protection incidents and their consequences. We will notify you of any Security Incident within 48-72 hours. We will communicate regularly with you until the Security Incident is resolved.
7. Procedures for regular Review, Assessment and Evaluation
We have implemented the following appropriate procedures and measures:
1. In relation to transfers of Customer Personal Data governed by the EU GDPR the EU Standard Contractual Clauses (SCCs) apply, as follows:
a. Module 2 – Controller to Processor to be applicable;
b. Clause 7 (docking clause) will not be applicable;
c. in Clause 9 (a), Option 2 will apply, and the time period for prior notice of Sub-Processor changes will be 10 days;
d. Clause 11(a) Option will not be applicable;
e. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Law of Ireland; and
f. in Clause 18(b), disputes will be resolved before the courts of Dublin, Ireland.
2. In relation to transfers of Customer Personal Data governed by UK Data Protection Law, the International Data Transfer Addendum (IDTA) to the EU SCCs apply as follows:
a. apply as completed in accordance with clause 1 above;
b. are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming an integral part of this DPA;
c. Tables 1 to 3 in Part 1 of the UK Addendum is deemed completed respectively with the information set out in clause 1 as well as Annex I, II under Appendix C and Appendix D attached in this DPA;
d. Table 4 in Part 1 is deemed completed by selecting “neither party.”; and
e. Any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
3. In relation to transfers of Customer Personal Data governed by the Swiss FADP, the EU SCCs will also apply in accordance with Clause 1 above, with the following modifications:
a. any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss FADP;
b. references to “EU”, “Union”, “Member State” and “Member State law” will be interpreted as references to Switzerland and Swiss law, as the case may be, and will not be interpreted in such a way as to exclude data subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs;
c. Clause 13 of the EU SCCs and Part C of Annex 1 are modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland to have authority over data transfers governed by the Swiss FADP. Subject to the foregoing, all other requirements of Clause 13 will be observed;
d. references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the FDPIC and competent courts in Switzerland;
e. in Clause 17, the EU SCCs will be governed by the laws of Switzerland; and
f. Clause 18(b) states that disputes will be resolved before the applicable courts of Switzerland.
4. The processing of personal data of California consumers will be governed by the following terms:
a. The parties agree that you are a “Business” under the CCPA and we are a “Service Provider” (and after January 1, 2023, shall become a “Contractor” as defined in the CPRA, that:
i. provides the Services to you pursuant to this Agreement, and
ii. processes, on behalf of you, Personal Data that is necessary to perform the Services under this Agreement.
b. The parties both further agree, and covenant as follows:
i. We are acting solely as a Service Provider with respect to Personal Data.
ii. We shall not sell Personal Data.
iii. We shall not retain, use, or disclose Personal Data for any purpose other than for the business purposes specified in this Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than the business purposes specified in this Agreement, or as otherwise permitted by the CPRA.
iv. We will not retain, use, or disclose Personal Data outside of the direct business relationship between you and us.
v. We limit Customer Personal Data processing to activities reasonably necessary and proportionate to providing Services described in the Agreement.
vi. We certify that we understand the restrictions set forth in this subsection (b) and shall comply with them.
vii. We shall reasonably cooperate with you for consumer requests and we shall promptly inform you of any requests with respect to Personal Data.
viii. We will reasonably cooperate and assist you with meeting CCPA compliance obligations.
A. LIST OF PARTIES
Data Exporter(s) – Customer:
Name: As per the Order Form
Address: As per the Order Form
Contact person’s name, position, and contact details: As per the Order Form
Activities relevant to the data transferred under this DPA: Disclosure of Personal Data as necessary to allow for provision of the Services defined in the Agreement.
Role (controller/processor): Controller
Data Importer(s) – Sirion:
Name: SirionLabs Pte. Ltd. and its Affiliates
Address: 160 Robinson Road, #03-12, Singapore 068914
Name, position, and contact details: Vijayendran Sridharan – Data Protection Officer, [email protected]
Activities relevant to the data transferred under this DPA: Processing of Personal Data for purposes of providing the Services described in the Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Please refer Appendix A of the DPA.
C. COMPETENT SUPERVISORY AUTHORITY
Data Protection Commission, Ireland
TECHNICAL AND ORGANISATIONAL MEASURES
As mentioned in Appendix B of the DPA.
SUB-PROCESSOR LIST
The list of Sub-Processors (including Affiliates) can be accessed from the following link. The list is regularly updated: https://info.sirion.ai/list-of-sub-processors.
Sirion Named a Leader in the 2024 Gartner® Magic Quadrant™ for Contract Life Cycle Management.