DATA PROCESSING ADDENDUM
This Data Processing Addendum (the “DPA”) is entered into by and between you (“Customer”, “you,” and “yours”) (collectively, with its Affiliates, “Customer”) and Voice, LLC doing business as Corporate Message Services (collectively, with its Affiliates, “Provider”). This DPA supplements and is incorporated into the existing agreement between Customer and Provider (the “Agreement”) pursuant to which Provider will provide services (“Services”) to Customer and has the same Effective Date as the Agreement. In the course of providing the Services to Customer, Provider may Process Personal Data on behalf of Customer, and the parties agree to comply with the following provisions with respect to any Personal Data.
1. Definitions
- “Affiliate” means with respect to an entity, any other entity that, now or in the future, either directly or through one or more intermediaries, controls, is controlled by, or is under common control with, that entity or any of its successors.
- “CCPA” means the California Consumer Privacy Act of 2018, California Civil Code § 1798.100, as amended by the California Privacy Rights Act, and implementing regulations.
- “Controller” means the definition of a controller, business, or equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data Processed by Provider (or a Sub-processor) on behalf of Customer pursuant to or in connection with the Agreement. Customer Personal Data does not include data or information derived from the Processing that does not constitute Personal Data or Personal Data collected by Provider as an independent controller.
- “Data Protection Laws” means any applicable international, national, federal, state, local, municipal, or territorial law, regulation, rule, guideline, guidance, or industry standard concerning or relating to data privacy, security, or breach notification, including, but not limited to, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the CCPA, the Colorado Privacy Act, the Connecticut Data Privacy Act, the GDPR, the Mexican Federal Data Protection Law, the Utah Consumer Privacy Act, the UK GDPR, the Virginia Consumer Data Protection Act, and any other applicable state privacy law.
- “Data Subject” means the definition of a data subject, consumer, or an equivalent term under Data Protection Laws.
- “GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679.
- “Personal Data” means (i) information that identifies or reasonably could identify a natural person; or (ii) information that constitutes personal data, personal information, personally identifiable information, nonpublic personal information, personal health information, or an equivalent term under Data Protection Laws.
- “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and any other action that constitutes as “processing” or an equivalent term under Data Protection Laws.
- “Processor” means the definition of a processor, service provider, or an equivalent term under Data Protection Laws.
- “Security Incident” means any confirmed unauthorized access, disclosure, misappropriation, theft, loss, acquisition, use, modification, or altering the availability of Personal Data.
- “Sub-processor” means any person appointed by or on behalf of Provider to Process Personal Data on behalf of Customer under the Agreement.
- “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018.
2. Term.
- The term of this DPA will commence on the Effective Date and will continue as long as Provider Processes Customer Personal Data.
3. Processing of Customer Personal Data
- 3.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller and Provider is the Processor.
- 3.2 Customer Authority. Customer represents and warrants that it is and will at all relevant times remain duly and effectively authorized to give the instructions set forth in Section 3.3 below on behalf of itself.
- 3.3 Provider’s Processing of Customer Personal Data.
- (a) Provider shall only Process Customer Personal Data for the purpose of providing the Services and in accordance with Customer’s written instructions, including the provisions of this DPA.
- (b) Provider is prohibited from Processing Customer Personal Data for any purpose or in any manner not authorized by this DPA or necessary to perform the Services under the Agreement. Provider may Process Customer Personal Data for the following purposes:
- (i) For internal use by the Provider to build or improve the quality of its services, provided that the use does not include building or modifying Data Subject profiles to use in providing services to another business, or correcting or augmenting Personal Data acquired from another source;
- (ii) To detect Security Incidents or protect against fraudulent or illegal activity;
- (iii) To comply with federal, state, or local laws;
- (iv) To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
- (v) To cooperate with law enforcement agencies concerning conduct or activity that the Customer, Provider, or Sub-processor(s) reasonably and in good faith believe may violate federal, state, or local law; and
- (vi) To exercise or defend legal claims.
- (c) Provider is prohibited from selling, renting, leasing, licensing, or sharing for purposes of cross-contextual or targeted advertising any Customer Personal Data.
- (d) Provider will comply with Data Protection Laws and will immediately notify Customer if Provider decides it can no longer meet its obligations under Data Protection Laws.
- 3.4 Details of the Processing. The details of this Processing are further specified in Exhibit A of this DPA, and may be amended by the parties as necessary. Provider shall only be obligated to perform any additional instructions to the extent that they are consistent with the terms and scope of the Agreement and this DPA.
- 3.5 Customer’s Responsibility. Customer is solely responsible for its compliance with all Data Protection Laws applicable to it. Customer represents and warrants that it has obtained all necessary consents, licenses and permissions, if any, required from Data Subjects and any third parties, and as required by Data Protection Laws for Provider’s Processing.
4. Provider Personnel
- 4.1 Provider shall restrict its employees from Processing Customer Personal Data without authorization by Provider and shall limit the Processing to that which is needed for the specific individual’s job duties in connection with Provider’s provision of the Services.
- 4.2 Provider shall ensure that all of its employees that Process Customer Personal Data will be subject to contractual duties to: (a) keep confidential all Customer Personal Data; (b) follow appropriate data security measures; and (c) cooperate with Customer with respect to Data Subject requests in accordance with Section 8.
5. Sub-processors
- 5.1 Approval of Sub-processors. Customer provides Provider with a general authorization to engage Sub-Processors. To the extent required by Data Protection Laws, Provider shall notify Customer of any intended changes concerning the addition or replacement of Sub-processors. Unless Customer objects in writing to the Sub-processor within 7 (seven) days, the request shall be deemed approved.
- 5.2 Sub-processing Agreement; Liability. Provider has or shall enter into a written agreement with each Sub-processor (the “Sub-processing Agreement”) containing data protection obligations not less protective than those in this DPA with respect to Customer Personal Data, to the extent applicable to the nature of the Services provided by such Sub-processor.
- 5.3 Copies of Sub-Processor Agreements. Provider shall provide to Customer for review copies of the Sub-processor agreements as Customer may reasonably request from time to time.
6. Security
- Provider shall implement and maintain technical, organizational, and physical security measures necessary to protect the availability, confidentiality, and integrity of Customer Personal Data. Such measures shall, at a minimum, meet the requirements set forth in Exhibit B and in Data Protection Laws.
7. Cross-Border Transfers
- 7.1 To the extent that Customer Personal Data is transferred under the Agreement from the European Economic Area or the United Kingdom to a country that has not received an adequacy determination from the EU Commission (or the Information Commissioner’s Office in the case of transfers from the United Kingdom), including transfers to the United States (collectively “Restricted Transfers”), the parties agree that they will use, together or individually, any necessary transfer mechanisms such as the Standard Contractual Clauses (“SCCs”). The parties intend to abide by the SCCs with the following choices:
- (a) Module Two applies;
- (b) in Clause 7, the optional docking clause applies;
- (c) in Clause 9(a), Option 2 applies, and the time period for prior notice of Subprocessors is seven (7) days;
- (d) in Clause 11(a), the optional language does not apply;
- (e) in Clause 13(a), the exporter is established in an EU Member State;
- (f) in Clause 17, Option 1 applies with the governing law being English Law;
- (g) in Clause 18(b), disputes will be resolve before the courts in England;
- (h) Annex I of the EU SCCs is completed with the information in Exhibit A and Exhibit C to this DPA; and
- (i) Annex II of the EU SCCs is completed with the information in Exhibit B to this DPA.
- 7.2 Where a Restricted Transfer is made from the UK, the UK Transfer Addendum is incorporated into this DPA and applies to the transfer as follows:
- (a) the UK Transfer Addendum is completed with the information in Section 7.1 and Exhibit A, Exhibit B, and Exhibit C to this DPA;
- (b) both “Importer” and “Exporter” are selected in Table 4;
- (c) in Table 2, the selected Addendum EU SCCs are the version of the Approved EU SCCs, which the UK Transfer Addendum is appended to, dated 4 June 2021, including the Appendix Information;
- 7.3 To the extent that the parties determine that a different version of the SCCs should apply, or should an adequacy decision become effective, the parties agree to cooperate in good faith to ensure the appropriate transfer mechanisms are in place.
8. Data Subject Rights
- 8.1 Cooperation for Data Subject Requests. Provider shall assist and reasonably cooperate with Customer in responding to any Data Subject requests received by Customer.
- 8.2 Responding to Data Subjects. In the event that Provider or a Sub-processor receives a Data Subject request relating to Customer Personal Data, Provider shall notify Customer in writing with 3 (three) days. Provider shall respond to the request according to instructions by Customer to either: (1) act on behalf of Customer in responding to the request or (2) inform the Data Subject that the request cannot be acted upon because the request has been sent to a Processor.
9. Security Incident Response
- 9.1 Provider shall report a Security Incident to Customer as soon as practicable, but no later than seventy-two (72) hours after becoming aware of such Security Incident. Such notification to be provided in writing (by email) to [Customer email] and telephonically to the [Customer phone number], as such email address or phone number may be modified from time to time upon written notice from Customer.
- 9.2 Immediately following Provider’s notification to Customer of a Security Incident, the parties shall coordinate with each other to investigate the Security Incident. Provider and Customer agree to reasonably cooperate with each other in the investigation of any Security Incident.
10. Data Protection Impact Assessment and Prior Consultation
- Provider shall reasonably cooperate with Customer with respect to any data protection assessment, data protection impact assessments, privacy risk assessment, or equivalent requirement under Data Protection Laws.
11. Return or Destruction of Personal Data
- At Customer’s election, made by written notice, the Provider shall, and ensure that all Sub-processors shall: (a) return a complete copy of all Customer Personal Data to Customer in such format and manner requested by Customer; and (b) delete and ensure the deletion of all other copies of Customer Personal Data Processed by Provider or any Sub-processor, unless Data Protection Laws require the storage of the Customer Personal Data.
12. Audit
- 12.1 Report on Compliance. At Customer’s written request, Provider will provide Customer all information necessary to demonstrate compliance with Data Protection Laws and this DPA.
- 12.2 Audit.Provider shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Provider or Sub-processors.
13. Jurisdiction and Governing Law
- This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the Commonwealth of Virginia. The parties agree that any dispute arising under this DPA shall be resolved in the United States District Court for the Eastern District of Virginia, and you submit to the personal jurisdiction of that court. If subject matter jurisdiction (including diversity jurisdiction) does not exist in the United States District Court for the Eastern District of Virginia for any such claim, then the exclusive forum and venue for any such action shall be the courts of the Commonwealth of Virginia, and you submit to the personal jurisdiction of that court.
14. Indemnification; Limitations on Liability; Remedies.
- Customer’s indemnification, limitation on liability, and remedy with respect to any alleged breach by us of the terms of this DPA, and the overall aggregate liability of us arising out of, or in connection with the Agreement (including this DPA), will be subject to an aggregate limitation of liability equal to the lesser of: (i) your pro-rated monthly service charge for the period during which the liability arose, to a maximum of fifteen (15) days; or (ii) five hundred dollars ($500.00) (“Liability Cap”). For the avoidance of doubt, the Parties intend and agree that our overall aggregate liability arising out of, or in connection with the Agreement (including this DPA) shall in no event exceed the Liability Cap.
15. Severance.
- If any provision of this DPA (or part of any provision) is or becomes illegal, invalid, or unenforceable, the legality, validity and enforceability of any other provision of this DPA shall not be affected.
- EXHIBIT A: DETAILS OF PROCESSING
- Subject matter and duration of the Processing: The subject matter of the Processing to be conducted under the Agreement is the Personal Data that Processor Processes on behalf of Provider in connection with the execution of the Agreement. The duration of the Processing is determined by the contractual agreement between the Processor and the Provider.
- Nature and purpose of the Processing: The nature and purpose of the Processing to be conducted under the Agreement is secure processing of Personal Data to facilitate the business services provided by the Provider.
- Types of Customer Personal Data: The Personal Data to be Processed under the Agreement include the following types of Personal Data: full Name, phone number, email, physical address, social security number, date of birth.
- Categories of Data Subjects: The Processing of Personal Data will be conducted under the Agreement for the following Categories of Data Subjects: Provider’s customers, Provider’s customer’s customers, Provider’s employees.
- EXHIBIT B: TECHNICAL, ORGANIZATIONAL, AND PHYSICAL SECURITY MEASURES
- I. Confidentiality
- 1.Physical Access Control. Relevant controls to prevent unauthorized access to data processing facilities (e.g. data centers, office buildings, server rooms) have been implemented. This includes:
- i. Security perimeter controls, such as fences, solid buildings, true floor-to-ceiling walls, locked doors, turnstiles, alarm systems.
- ii. Dedicated secure areas (e.g. data centers, server rooms) with a limited number of authorized personnel who have access.
- iii. Electronic access cards (ID cards, badges), keys and door locks.
- iv. Video surveillance systems.
- v. Facility security services and/or entrance security staff for data centers and research and development office.
- vi. Proper authorization and escorting of visitors when needed.
- 2. Electronic Access Control. Relevant controls to prevent unauthorized use of the data processing and data storage systems have been implemented. This includes:
- i. Unique identifier (user ID) for all authorized users, for their personal use only and authentication technique to substantiate the claimed identity of a user.
- ii. Password protection for computer systems and strong password policy:
- 1) A strong and unique password (at least 8 characters long).
- 2) The password contains characters belonging to at least three of the following five categories:
- a. Upper case letters.
- b. Lower case letters.
- c. Numerical symbols.
- d. Special symbols.
- e. Unicode alphabet characters that do not have upper and lower cases (e.g. Asian languages).
- 3) Storing passwords in an encrypted format using one-way hashing.
- 4) Periodical testing of passwords.
- iii. Automatic account locking after 5 failed log-on attempts.
- iv. New accounts are forced to change passwords on initial log-on.
- v. Systems are automatically timed out / password locked after 15 minutes of inactivity and require authentication to continue.
- vi. Inactive accounts are locked during quarterly audits.
- vii. Multifactor authentication for remote access to corporate services and privileged operations.
- viii. Encryption of data at rest using hard drive built-in tools and Microsoft technologies, like Bitlocker or Azure encryption.
- ix. Anonymization is used where required and possible, according to the nature of processed data.
- x. Secure disposal of old equipment.
- 3. Internal Access Control. Relevant controls to prevent unauthorized reading, copying, changes or deletions of data within the systems and measures regulating user rights of access to and amendment of data have been implemented. This includes:
- i. Secure access connections and technologies used for authentication control.
- ii. Unique login names, strong passwords and periodic examinations of the access lists are existent to guarantee the appropriate use of user accounts.
- iii. The granting of access rights is a formal process, based on the job responsibilities (role) of the user and on a need-to-know basis and must be authorized by the corresponding resource owner and/or supervisor of the person who makes an application for it.
- iv. Identity management tool used to manage access according to defined and approved rules, to process access requests, and to keep tracks of access changes.
- v. The access to productive systems is only granted to users who are periodically trained and authorized for the corresponding action. The access to productive systems is also immediately withdrawn in case of a termination of the contract of employment or in case of an assignment of a different task.
- vi. System access events are logged and stored securely with restricted access only for authorized users.
- vii. Isolation Control. Data is processed according to the purpose of processing. Data of different customers are separated logically in storages, using access rules and/or using separation of environments or logical Identifiers.
- 1.Physical Access Control. Relevant controls to prevent unauthorized access to data processing facilities (e.g. data centers, office buildings, server rooms) have been implemented. This includes:
- II. Integrity
- 1. Data Transfer Control. Measures to prevent unauthorized reading, copying, changes or deletions of data with electronic transfer or transport have been implemented:
- i. Encryption of data in transit by using HTTPS (TLS 1.2), IPsec.
- ii. Laptops’ hard drives and mobile devices storages are encrypted.
- iii. VPN is used to connect separate locations and for remote access.
- iv. The perimeter network devices are appropriately configurated to secure internal network from unauthorized external connections and to secure that computer connections and data flow do not breach the logical access adjustment control.
- v. Electronic signatures are used where applicable.
- 2. Data Entry Control. Measures for the verification, where necessary, whether and by whom personal data is entered into a data processing system, is changed or deleted, have been implemented. Measures include:
- i. Logging of user access to systems.
- ii. Documents changes are tracked.
- iii. Requirements for ensuring authenticity and protecting message integrity in applications are identified, where necessary, and appropriate controls are implemented.
- 1. Data Transfer Control. Measures to prevent unauthorized reading, copying, changes or deletions of data with electronic transfer or transport have been implemented:
- III. Availability and Resilience
- 1. Availability Control. Measures to prevent accidental or willful destruction or loss of information have been implemented. Measures include:
- i. Reasonable physical protection against environmental risks (e.g., fire, flood, earthquake), such as:
- 1) Climate control systems.
- 2) Temperature sensors.
- 3) Smoke/heat detectors.
- 4) Water sensors.
- 5) Fire suppression systems.
- 6) Alarm / Monitoring systems.
- ii. Physical protection from power failures and other disruptions caused by failures in supporting utilities, such as:
- 1) Uninterruptible Power Supply (UPS) for servers and network equipment.
- 2) Multiple power feeds and generators with onsite fuel capacity for datacenters
- iii. Backup strategy and procedures, such as regular backups, on-site/off-site storage of backups, backups monitoring and checks.
- iv. Antimalware protection and firewalls installed on endpoints and on gateway level (e.g. web-proxy, email gateway). It is managed centrally by IT, virus signatures are updated at least once a day, full scan is scheduled weekly.
- v. Workstations centralized management (automatic locking, patch management, configuration, physical security, etc.) to reduce the possibility to exploit software properties (operating systems, business applications etc.).
- vi. Network security:
- 1) Firewalls on endpoints and gateways.
- 2) Intrusion detection and prevention systems.
- 3) Network segmentation.
- 4) Secure network configuration and protocols use.
- vii. Restriction of physical and logical access to diagnostic and configuration ports of infrastructure equipment.
- viii. Using advanced threat analytics solution to detect suspicious user/device activity.
- i. Reasonable physical protection against environmental risks (e.g., fire, flood, earthquake), such as:
- 1. Availability Control. Measures to prevent accidental or willful destruction or loss of information have been implemented. Measures include:
- IV. Rapid Recovery
- Measures to ensure the ability to restore the availability of services in a timely manner in the event of a physical or technical incident have been implemented. This includes:
- 1. Redundant architectures, such as clusters, RAID, network load balancing.
- 2. Use of geo-redundancy in cloud services and redundant data centers.
- 3. Business continuity and disaster recovery planning and regular testing.
- Measures to ensure the ability to restore the availability of services in a timely manner in the event of a physical or technical incident have been implemented. This includes:
- V. Procedures for Regular Testing, Assessment and Evaluation of the Effectiveness of Technical and Organizational Measures for Ensuring the Security
- The following measures are in place to test, assess and evaluate the Effectiveness of Technical and Organizational Measures:
- 1. At least annual risk assessment and security policy review.
- 2. Regular security tests, such as scanning for vulnerabilities (endpoints, products, services etc.), penetration tests by specialized providers (services, corporate network).
- 3. Periodical internal security audits and tests.
- 4. Annual certification audits for several services.
- 5. Processing incidents according to Incident Response Plan, reviewing results during root cause analysis and improving security management system.
- The following measures are in place to test, assess and evaluate the Effectiveness of Technical and Organizational Measures:
- VI. Order or Contract Control
- Measures to prevent third party data processing other than upon instruction from the controller have been implemented. This includes:
- 1. Clear and unambiguous contractual arrangements in line with GDPR requirements
- 2. Procurement procedure, legal review and vendor management procedure to check the security state of new vendor before selecting it.
- 3. Information security state of vendors is reviewed annually or in case of security incidents.
- Measures to prevent third party data processing other than upon instruction from the controller have been implemented. This includes:
- VII. Organizational Control
- Relevant technical and organizational measures have been implemented for ensuring that, by default, only personal data which are necessary are processed in a legitimate way. These measures include:
- 1. Privacy Officer is responsible of data protection laws and regulations (contact e-mail: support@cmscom.net). In-house lawyers working on data protection are responsible for legal aspects of data processing.
- 2. Privacy Policy and internal guidelines on privacy include the description of risks, key principles to be followed, target objectives, rules to be applied and are available for different stakeholders, e.g. users, IT department, HR department, policymakers etc. via corporate portal.
- 3. Security Policies and guidelines on many security topics are implemented in processes and systems, reviewed annually, approved by management, and communicated to users.
- 4. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, the strictest privacy settings apply by default, without any manual input from the end user. For any data processing that are not covered by legitimate interest data subject is asked for consent.
- 5. Privacy by design, i.e. measures to ensure that when processing of personal data privacy is built into a system during the whole life cycle of that system or process. This consist, inter alia, of minimizing the processing of personal data, pseudonymizing personal data as soon as possible, transparency regarding the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.
- 6. Data Protection Impact Assessment describes processes to control the risks that processing operations performed by the organization pose on data protection and the privacy of data subjects.
- 7. Processing of personal data is minimized during Data Protection Impact Assessment.
- Relevant technical and organizational measures have been implemented for ensuring that, by default, only personal data which are necessary are processed in a legitimate way. These measures include:
- I. Confidentiality