Data Processing Addendum ("DPA")
(last updated 12/01/2021)
This agreement is made between Customer who is Party to the Master Access Agreement and, if applicable, the SOW (“Customer”) and dscout, Inc., a company constituted under the laws of the state of Delaware in the United States with an address at 222 N LaSalle Street, Suite 650, Chicago IL 60601 (“dscout”) (together, the “Parties”).
WHEREAS the Parties have entered into a Master Access Agreement (the “Agreement”);
In consideration of the ongoing obligations of the parties under applicable data protection laws and under the Agreements referred to above, the parties agree as follows:
1. DATA PROTECTION
1.1 Each Party shall comply with the obligations imposed on such Party by applicable data protection laws, including the EU General Data Protection Regulation and EU member states laws implementing the same, and the California Consumer Privacy Act (“Data Protection Legislation”) to the extent that those obligations are applicable to performing the obligations under the Agreement and the data processed in connection with such Agreement.
1.2 The terms "Data Controller", “Business,” “Data Processor,” “Service Provider,” "Data Subject", “Personal Data Breach,” and "Personal Data" shall be interpreted in accordance with the applicable Data Protection Legislation. For the purpose of this DPA, Personal Data includes “Personal Information” as defined by applicable Data Protection Legislation. All other terms are defined in the Agreement, as applicable.
1.3 "2021 Standard Contractual Clauses,” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfer” section below.
1.4 “2010 Standard Contractual Clauses” means the annex found in the EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (available as of September 13, 2019 at data.europa.eu/eli/dec/2010/87/oj), completed as described in the “Data Transfer” section below.
2. ROLES OF THE PARTIES
2.1 The Parties agree that each party acts as an independent Data Controller or Business with respect to Personal Data provided by Scouts and data collected from Scouts through the dscout Platform, including but not limited to Scout Profile Information, Screener Data and Mission Entries (collectively, “Scout Data”) for the purposes of the Data Protection Legislation. Scout Data is not “transferred” to dscout by Customer.
2.2 With respect to Scout information, such as name as email address, that is provided directly by Customer or Customer employee information provided by Customer solely to enable access to the dscout platform (together, “Customer Data”), dscout shall act as a Data Processor or a Service Provider.
2.3 Each Party represents, warrants and undertakes to the other that they have complied and shall at all times continue to comply with, all obligations imposed on them by the Data Protection Legislation.
2.4 No Party shall take any action or make any omission in relation to Personal Data which would cause the other Party to breach its obligations under the Data Protection Legislation.
3. DATA CONTROLLER OBLIGATIONS
3.1 Data Incidents: Each Party shall notify the other promptly without undue delay and in any event within 48 hours of becoming aware of any loss or unauthorized access to Personal Data of the other (a “breach”) and provide reasonable assistance to the other in order to address such breach.
3.2 Data Subject Requests: Each Party shall be responsible for responding to and, if required, complying with, any data subject requests to exercise rights under Data Protection Legislation with respect to Personal Data over which it is a Controller, or a request purporting to exercise such rights, (collectively, a “Request”), or a complaint related to the Processing of such data. Without limiting the foregoing:
- 3.2.1 Where either Party knowingly receives a Request relating to Personal Data processed under the Agreement and over which the other Party is a Controller, the Party shall notify the other Party as soon as reasonably practical and in any event within three (3) business days of the Request and permit such other Party to manage the response which respect to the Personal Data in such other Party’s possession.
3.3 Supervisory Requests: Each Party shall provide reasonable assistance to and cooperation with the other Party for their consultation with supervisory authorities in relation to the transfer, control, and processing of Personal Data involved in this Agreement.
4. DATA PROCESSOR OBLIGATIONS
Data Processor shall, in relation to Customer Data containing Personal Data processed in connection with the performance of its obligations under this DPA:
4.1 process that Customer Data only on the documented written instructions of the Customer, which includes this DPA and the Master Access Agreement, unless the Data Processor is required by applicable laws to otherwise process that personal data in which case Data Processor shall, unless legally prohibited, promptly notify the Customer of this before performing the processing required by the applicable laws;
4.2 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Data;
4.3 ensure that all personnel who have access to and/or process Customer Data are obliged to keep the Customer Data confidential;
4.4 not transfer any Customer Data outside of the European Economic Area and the United Kingdom unless either: the Commission has decided, in accordance with Article 45 of the General Data Protection Regulation ((EU) 2016/679), that the third country (or sector thereof), territory, or international organisation to which personal data is to be transferred, ensures an adequate level of protection; or pursuant to an transfer mechanism that is compliant with Data Protection Legislation, which may include but is not limited to approved Standard Contractual Clauses;
4.5 assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
4.6 notify the Customer without undue delay, and where practicable, within 48 hours, on becoming aware of a breach of Customer Data;
4.7 at the written direction of the Customer, delete or return Customer Data and copies thereof to the Customer on termination of the DPA unless required by applicable law to store the Customer Data;
4.8 maintain complete and accurate records and information to demonstrate its compliance with this Section 4 and allow for audits by the Customer or the Customer’s designated auditor, only so far as is necessary in order to demonstrate compliance and no more than once a year, provided that the Customer: provides no less than 30 days’ written notice of such audit or inspection; and the parties agree the scope, duration, and purpose of such audit or inspection in advance. Customer shall conduct its audit in a manner that will result in minimal disruption to Data Processor’s business operations and shall not be entitled to receive data or information of other clients of Data Processor or any other confidential information of Data Processor that is not directly relevant for the authorized purposes of the audit. If the Customer becomes privy to any confidential information of the Data Processor as a result of this Section, the Customer shall hold such confidential information in confidence and, unless required by law, not make the confidential information available to any third party, or use it for any other purpose. The Customer acknowledges that the Data Processor shall only be required to use reasonable endeavors to assist the Data Controller in procuring access to any third-party assets, records or information as part of any audit; and
4.9 inform the Customer immediately if, in the Data Processor’s opinion, an instruction from the Customer infringes (or, if acted upon, might cause an infringement of) the Data Protection Legislation.
4.10 Third-party processors
- 4.10.1 Customer acknowledges and consents generally to the appointment by the Data Processor of third parties as sub-processors of the Customer Data being processed under this DPA.
- 4.10.2 Data Processor confirms that: (a) it shall impose on all sub-processors the same data protection obligations as set out in Section 4; and (b) the Data Processor shall remain fully liable for the actions of its sub-processors’ processing of Personal Data in connect with the Agreement.
- 4.10.3 Data Processor shall give the Customer notice of the appointment of any new sub-processors. Customer may reasonably object to such appointment within ten (10) U.S. business days of such notice. If Customer objects to such changes, Customer will give Data Processor the opportunity to make a change in the service or recommend a commercially reasonable change to Customer’s configuration to avoid processing of personal data by the objected-to new subprocessor without unreasonably burdening Customer.
5. DATA TRANSFER
5.1 To the extent legally required and when a legal derogation or a data transfer framework does not apply, with respect to Personal Data transferred from the EEA and Switzerland, the parties are deemed to have signed the 2021 Standard Contractual Clauses, which are incorporated by reference and will be deemed completed as set forth below.
- 5.1.1 Module 2 of the 2021 Standard Contractual Clauses applies;
- 5.1.2 Clause 7 (the optional docking clause) is not included;
- 5.1.3 Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is provided upon request. dscout shall update that list and provide notice to Customer at least ten (10) days in advance of any intended additions or replacements of sub-processors.
- 5.1.4 Under Clause 11, the optional language does not apply;
- 5.1.5 Under Clause 17, the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of Ireland;
- 5.1.6 Under Clause 18, the parties select the courts of Ireland;
- 5.1.7 Annexes I and II of the 2021 Standard Contractual Clauses are set forth below.
- 5.1.8 With respect to transfers of Personal Data that are subject to the Switzerland Federal Act on Data Protection (“FADP”):
- 188.8.131.52.1 References to the GDPR are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP.
- 184.108.40.206.2 The term “member state” shall not be interpreted to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
- 220.127.116.11.3 References to personal data in the 2021 Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
- 18.104.22.168.4 Under Annex I(C): Where the transfer is subject exclusively to the FADP, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner. Where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the 2021 Standard Contractual Clauses insofar as the transfer is governed by the GDPR.
5.2 Data Transfers Outside of the United Kingdom. To the extent legally required and when a legal derogation or a data transfer framework does not apply, with respect to Personal Data transferred from the United Kingdom (UK), for which UK Data Protection Law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, and where such law permits use of the 2010 Standard Contractual Clauses but does not permit use of the 2021 Standard Contractual Clauses, the Parties agree to be bound by the 2010 Standard Contractual Clauses. Customer is the “Data Exporter” and dscout is the “Data Importer”. Where Clause 9 of the 2010 Standard Contractual Clauses requires specification of the law that governs the Clauses, the parties select the law of the United Kingdom. The “illustrative indemnification clause” labelled “optional” is deemed stricken. The remainder of the clauses are completed as set forth in Annex I(B) and Annex II below.
A. LIST OF PARTIES
Data exporter(s): The entity identified as “Customer” in the Agreement, and if applicable, the SOW.
Address: The address for Customer associated as specified in the Agreement, and if applicable, the SOW.
Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as specified in the Agreement, and if applicable, the SOW.
Activities relevant to the data transferred under these Clauses: The activities specified in the Agreement.
Signature and date: By using the Platform, the data exporter will be deemed to have signed this Annex I.
Role (controller / processor): Controller
Data importer(s): dscout as identified in the Agreement.
Address: The address for dscout is specified in the Agreement.
Contact person’s name, position and contact details: The contact details for dscout specified in the Agreement and if applicable, the SOW.
Activities relevant to the data transferred under these Clauses: The activities specified in the Agreement.
Signature and date: By using the Platform, the data importer will be deemed to have signed this Annex I.
Role (controller / processor): Processor for Customer Data
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
- Customer Data: Scouts and/or Customer Employees
Categories of personal data transferred
- Customer Data: Employee contact information (e.g., name, email address) and, if provided directly by Customer to invite Scout to the service, Scout contact information (e.g., name and email address).
Sensitive data transferred (if applicable) and applied restrictions.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- In accordance with Customer’s instructions.
Nature of the processing
- As set forth in the Agreement and DPA.
Purpose(s) of the data transfer and further processing
- To provide the Platform as set forth in the Agreement and DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- In accordance with Customer’s instructions and/or as set forth in the Agreement and DPA
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- As set forth in the Agreement and DPA.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Irish Data Protection Commission
TECHNICAL AND ORGANISATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Data Importer will comply with industry standard security measures (including with respect to personnel, access controls, monitoring and logging, vulnerability and breach detection, and incident response measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Data Exporter's Personal Data provided by Data Exporter to Data Importer), as well as with all applicable data privacy and security laws, regulations and standards.
The objective of dscout’s Information Security Program is to maintain the confidentiality, integrity and availability of its systems and data while meeting the necessary legislative, industry, and contractual requirements. Data Importer shall establish, implement, and maintain an information security program that includes technical and organizational security measures as well as policies and procedures to protect Data Exporter data processed by Data Importer against accidental loss; destruction or alteration; unauthorized disclosure or access; or unlawful destruction.
A high-level summary of the measures taken by the Data Importer to protect Data Exporter data is as follows:
- A policy defines requirements around enforcing security measures as they relate to employment status changes. This includes background checks, acknowledgement and adherence to Data Importer's security policies, onboarding and termination for employees and third parties.
- Data Importer organizational management and dedicated personnel are responsible for the development, implementation, and maintenance of the Data Importer security program.
- Independent risk assessments are conducted to determine the effectiveness of Data Importer security policies, procedures and technical controls. Assessment findings are delivered to compliance and security leadership.
- Effective policies and procedures are in place to guide the implementation and maintenance of Data Importer security controls. All policies and procedures are periodically reviewed.
- Security training is conducted annually for all Data Importer employees and contractors. Ongoing awareness is performed to ensure Data Importer employees and contractors understand the changing threats and appropriate response to protect data.
- Data Importer encrypts data at rest and in transit including communication within the cloud hosting environment, external integration, and client communication. Anonymization is used in test data sets to prevent data exposure.
- User and privileged access to system resources and data is limited. Data Importer enforces two-factor authentication. Data Importer conducts a periodic review of accounts to verify the appropriateness of user and privileged access.
- Secure coding practices are used during Data Importer software development. Security testing is performed throughout the software development lifecycle to detect vulnerabilities.
- Independent parties conduct penetration tests annually and Data Importer performs vulnerability scans periodically to detect system vulnerabilities. Vulnerability findings are analyzed and prioritized for remediation.
- Data Importern security incident management processes guide monitoring, detecting, and responding to security threats and attacks.
- Business resiliency and disaster recovery procedures are implemented to maintain Data Importer services and/or recovery from emergency situations or disasters.
- Third party risk reviews are conducted prior to contracting and throughout the relationship. Data Importer ensures the third party remediate vulnerabilities to reduce risk to an acceptable level.