This Data Processing Addendum (“Addendum”) forms part of the Cloud-Based Application Agreement (“Agreement”) between Issuetrak, Inc. (“Issuetrak”) and the Company referred to as “You” therein (“Client”) and applies only to the extent that (1) Client is subject to the Data Protection Laws, including the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”); (2) Client is a Controller of Personal Data Processed by Issuetrak as that term is defined in the Data Protection Laws; and (3) Issuetrak is a Processor of such Personal Data as that term is defined in the Data Protections Laws. If all of the foregoing conditions are met, Client and Issuetrak agree as follows:
1. Definitions. The following definitions apply to this Addendum. Any capitalized terms not defined in this Addendum have the meaning ascribed to them in the Agreement.
(a) “Commercially Reasonable Efforts” means in respect of the party in question, taking such steps and performing them in such a way as that party would undertake to achieve a particular desired result for its own benefit, assuming such party was acting in a determined, prudent and reasonable manner and in the best interests of the other party.
(b) “Confidential Information” means any information that is received from or on behalf of a disclosing party and/or is obtained by a party or its personnel in connection with or arising out of this Agreement, including for the purposes of providing or receiving the Services that, if disclosed in tangible form, is marked confidential or if disclosed otherwise is confirmed in writing as being confidential or, whether disclosed in tangible form or otherwise, is manifestly confidential. Confidential Information includes this Agreement and the relationship between the parties but does not include Personal Data.
(c) “Data Protection Laws” means all data protection and privacy laws that apply to the Processing of Personal Data under this Addendum, including:
(i) all statutes, statutory instruments, regulations, by-laws, ordinances or subordinate legislation from time to time made or issued to which a party is subject;
(ii) the common law and the law of equity as applicable to the Parties;
(iii) any binding court order or judgment;
(iv) any applicable guidance, policy or standard which, in each case, is enforceable by law; and
(v) any applicable direction, policy, rule or order that is legally binding and that is issued by a Supervisory Authority insofar as the same relates to the Processing, protection or security of Personal Data.
(d) “Data Subject” means the natural living person to whom Personal Data relates.
(e) “Standard Contractual Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by European Commission decision 2010/87/EC, dated 5 February 2010.
(f) “Good Industry Practice” means the exercise of at least the skill, care, prudence and efficiency which would reasonably be expected for a similarly situated provider of services that are the same as, or substantially similar to, the Services under the Agreement.
(g) “Personal Data” means any information, including information in electronic form, that is included in Your Data and is processed by Issuetrak to provide the Service, and that relates to a living person who can be identified: (a) from those data, or (b) from those data and the use of additional information, taking into account all means reasonably likely to be used by anyone to identify the person directly or indirectly and includes, without limitation, first and last names, ID numbers, including government-issued identifiers, personal dates such as birthdates, email addresses, location data, internet protocol address or other online identifiers and information concerning race, ethnicity or mental or physical health. For clarity, “Personal Data” includes “Personal Information,” as that term is defined by the CCPA, and personal data that is publicly available. The term “Personal Data” excludes personal data that has been anonymized so that it is no longer possible to identify a Data Subject from the information, taking into account all means likely reasonably to be used by Issuetrak or anyone else to identify them.
(h) “Personal Data Breach” means a breach of security leading to destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Issuetrak or its Subprocessors, which is adverse to this Addendum or Data Protection Laws, or otherwise unlawful.
(i) “Personnel” shall include the relevant Party’s partners, members, employees, officers and agents, self-employed contractors and those of its sub-contractors.
(j) “Processing” means any operation or set of operations performed on data, whether or not by automated means, such as accessing, collection, downloading, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (and “Process” and “Processed” shall be construed accordingly).
(k) “Subprocessor” means anyone engaged by Issuetrak to perform Processing that Issuetrak performs on behalf of Client.
(l) “Supervisory Authority” means any person or body having regulatory, supervisory, administrative, governmental or competent authority from time to time over all or any part of the Issuetrak or Client, including the European Data Protection Board. For avoidance of doubt, this includes any successors to any person or body that would be considered to be a “Supervisory Authority” at the date of this Addendum.
2. Data Protection.
(a) With respect to the Parties’ rights and obligations under this Addendum, the Parties agree that Issuetrak is a Processor and Client is a Controller (each as defined in Data Protection Laws) of Personal Data.
(b) The Parties agree that Issuetrak is a “Service Provider,” as that term is defined in the CCPA, with respect to any Personal Data subject to the CCPA. Issuetrak is prohibited from: (i) selling Personal Data; (ii) retaining, using, or disclosing Personal Data for any purpose other than providing the Service, or as otherwise permitted by the CCPA; and (iii) retaining, using, or disclosing Personal Data outside of the direct business relationship between the person and the business. Issuetrak hereby certifies that it understands the restrictions in this Section 2(b) and will comply with them.
(c) The subject matter and duration of the Processing of Personal Data are described in the Agreement and this Addendum. The nature and purpose of the Processing of Personal Data is providing the Service.
(d) The types of personal data and the categories of data subjects are set forth in Schedule 1 to this Addendum.
3. Responsibilities of Client.
(a) Client shall process Personal Data in compliance with Data Protection Laws and good data processing practice.
(b) Client’s documented instructions of Processing of Personal Data are primarily given in the Agreement and this Addendum. Client shall have the right to give Issuetrak new documented instructions or amend the documented instructions given by Client to Issuetrak. Issuetrak is entitled to charge for reasonable and substantiated additional costs for complying with new or amended documented instructions from Client.
4. Responsibilities of Issuetrak. Issuetrak shall and shall procure that its personnel shall, at all times:
(a) process Personal Data in compliance with Data Protection Laws and good data processing practice;
(b) process Personal Data in accordance with this Addendum or on documented instructions from Client, unless prescribed otherwise by a provision of Data Protection Laws applicable to Issuetrak. In such case, Issuetrak shall inform Client of such requirement before beginning the Processing of Personal Data in accordance with the instructions, unless informing of such requirement is prohibited in Data Protection Laws;
(c) inform Client without undue delay if Issuetrak considers that instructions of Client are in breach of Data Protection Laws;
(d) ensure that Issuetrak’ personnel who are authorized to process Personal Data agree to maintain the confidentiality of such Personal Data in a manner consistent with the provisions of this Addendum;
(e) implement and maintain technical and organizational measures to ensure an appropriate level of security to protect Personal Data against unauthorized access and loss, destruction, damage, alteration or disclosure, or against other unlawful Processing;
(f) follow the conditions concerning the use of Subprocessors as prescribed in Section 7(a) below;
(g) taking into account the information available to Issuetrak, provide reasonable assistance to Client in responding to requests for exercising the rights of Data Subjects where Client does not have the required information. Issuetrak is entitled to charge Client, and Client must pay to Issuetrak upon demand, for additional costs and expenses that were reasonably incurred as a result of complying with this Section 4(g). Issuetrak will promptly notify Client if it receives a request from a Data Subject to access, correct or delete that Data Subject’s Personal Data or other right under Data Protection Laws or if a Data Subject objects to the Processing thereof and Issuetrak shall not respond to a Data Subject request without Client’s prior written consent;
(h) taking into account the information available to Issuetrak, provide reasonable assistance to Client in ensuring compliance with its obligations set out in Data Protection Laws relating to data security, Personal Data Breaches, data protection impact assessments, and prior consulting obligations. Issuetrak is entitled to charge Client, and Client must pay to Issuetrak upon demand, for additional costs and expenses that were reasonably incurred as a result of complying with this Section 4(h);
(i) at the choice of Client, delete or return Personal Data to Client on termination of the Services and delete all existing copies unless Issuetrak is required to store such Personal Data by any law or regulation to which Issuetrak is subject; and
(j) make available to Client all information necessary to demonstrate compliance with Issuetrak’ obligations set out in this Addendum and in Data Protection Laws. Client is obliged to keep all such information confidential at all times.
5. Personal Data Breach Notification.
(a) Issuetrak shall notify Client of all Personal Data Breaches without undue delay, but no later than one (1) business day after Issuetrak has become aware of the Personal Data Breach. Issuetrak shall make reasonable efforts to identify the cause of such Personal Data Breach and take those steps deemed necessary and reasonable in order to remediate the cause of such Personal Data Breach. The Personal Data Breach notification shall contain the following:
(i) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned;
(ii) the name and contact details of the relevant contact person at Issuetrak handling the Personal Data Breach;
(iii) a description of the likely consequences and/or actual, realized consequences of the Personal Data Breach; and
(iv) a description of the measures Issuetrak has taken to address the Personal Data Breach and to mitigate its adverse effects.
(b) To the extent Issuetrak is unable to provide all of the information set forth above upon initial notice to Client, Issuetrak may supplement such notice with information as it becomes available and/or known to Issuetrak.
(c) Issuetrak shall document Personal Data Breaches and, subject to attorney-client privilege, disclose the documentation to Client upon Client’s written request.
(d) After Issuetrak has become aware of the Personal Data Breach, Issuetrak shall ensure security of Personal Data and take appropriate measures to ensure protection of Personal Data in cooperation with Client.
6. Transfers of Personal Data.
(a) Issuetrak may process Personal Data anywhere in the world where Issuetrak or its Sub-processors maintain data Processing operations. Issuetrak shall at all times provide an adequate level of protection for the Personal Data Processed, in accordance with the requirements of Data Protection Laws.
(b) To the extent Issuetrak’s performance or Client’s use of the Services requires the transfer of Personal Data from within the European Union or Switzerland to the United States or any other country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the Standard Contractual Clauses are incorporated by reference in this Addendum and will apply to the transfer, unless the parties jointly agree that another valid mechanism under Data Protection Laws may be used with respect to the export Personal Data. For purposes of the Standard Contractual Clauses:
(i) Client is the “data exporter” and Issuetrak is the “data importer;”
(ii) Issuetrak’s obligations under the Standard Contractual Clauses will be governed by the laws of the member state(s) in which Client is established;
(iii) The details of Appendix 1 of the Standard Contractual Clauses are set forth in Schedule 1 to this Addendum, which will be completed and executed by the parties;
(iv) The details of Appendix 2 of the Standard Contractual Clauses are set forth at https://www.issuetrak.com/security/; and
(v) In the event of any conflict between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
(a) Issuetrak is entitled to engage and use Subprocessors in Processing Personal Data. Issuetrak may continue to use those Subprocessors already engaged by Issuetrak as of the date of this Addendum, and subject to Issuetrak meeting its obligations in Section 7(d) below Client hereby approves of such Subprocessors.
(b) Issuetrak is entitled to reduce the number of Subprocessors without separate notice to Client.
(c) Issuetrak shall notify Clients at least thirty (30) days prior to new Subprocessor commencing to Process Personal Data under this Addendum. Client may deny the use of the new Subprocessor only if Client has good faith, reasonable doubts about the ability of the Subprocessor to comply with Data Protection Laws. If Client does not deny the use of the new Subprocessor in writing within fourteen (14) days from the date of written notice from Issuetrak, Issuetrak may use the new Subprocessor in Processing Personal Data. If Client reasonably objects to a change in Subprocessor and Issuetrak cannot change the Service or recommend a commercially reasonable change to Client’s configuration or use of the Service to avoid Processing of Personal Data by such Subprocessor, Client may terminate the Agreement. In such case, Issuetrak will refund Client any prepaid fees covering the remainder of the term of the Agreement.
(d) Issuetrak shall take appropriate measures to ensure that the Subprocessors comply with the obligations specified in this Addendum, including security and confidentiality requirements, and Issuetrak shall enter into a written agreement with each Subprocessor containing data protection obligations substantially similar to, and no less protective than those contained in this Addendum. Issuetrak is responsible for the performance of its Subprocessors.
8. Amendment. Except as set forth herein. this Addendum may only be amended by mutual written agreement of the Parties.
This Schedule forms part of the EU Model Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Schedule.
The data exporter is (please specify briefly your activities relevant to the transfer):
The data exporter is the entity identified as “Client” in the Data Processing Addendum executed between the data exporter and the data importer, a user of the cloud-based application provided by the data importer.
The data importer is (please specify briefly activities relevant to the transfer):
The data importer is Issuetrak, Inc., the provider of a cloud-based application utilized by the data exporter to report on and monitor the resolution of issues related to the data exporter’s business.
The personal data transferred concern the following categories of data subjects (please specify):
The data exporter may, at its sole discretion, submit Personal Data to the Service, which may include, but is not limited to, the following categories of Data Subjects: employees, customers, prospective customers, service providers, business partners, vendors, advisors (all of whom are natural persons) of the data exporter and any natural person(s) authorized by the data exporter to use the Services.
The personal data transferred concern the following categories of data (please specify):
The data exporter may, at its sole discretion, submit Personal Data to the Service which may include, but is not limited to, the following categories of data: first and last name, email address, telephone number, address (business or personal), date of birth, communications (telephone recordings, voicemail), customer service information, and title.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The personal data transferred will be subject to the following basic processing activities (please specify):
The data importer will host and process Personal Data in the course of providing its cloud-based application for use by the data exporter, including as necessary to provide service and support.
|DATA EXPORTER||DATA IMPORTER|