Updated: August 1, 2024
Global Data Processing Addendum
This Global Data Processing Addendum (this “DPA”) to the Agreement (defined below) is entered into by RMG Enterprise Solutions, Inc. dba Korbyt, on behalf of itself and its wholly-owned subsidiaries (collectively, “Company”) and forms part of the agreement entered into by and between Company and the Customer pursuant to which Company provides Services to Customer (the “Agreement”). This DPA supersedes and cancels any previous data processing agreement between the parties relating to the subject matter of this DPA, but it merely supplements, and does not supersede or cancel, the Agreement, which remains in full force and effect according to its terms. This DPA modifies the Agreement by adding data protection provisions to govern the processing of Personal Data by the Company in the course of providing the Services and the making of Restricted Transfers under the GDPR, the Swiss Federal Data Protection Act 2020 and UK GDPR. Capitalized terms not expressly defined in this DPA will have the meanings given to them in the Agreement. Company may modify this DPA from time to time. If and to the extent language in this DPA conflicts with the Agreement, this DPA shall take precedence. The term of this DPA corresponds to the duration of the Agreement.
By clicking on the “I agree” (or similar button) that is presented to Customer at the time its accesses or uses the Services, Customer indicates its assent to be bound by this DPA. If Customer does not agree to the terms of this DPA, Customer should not use any Services.
How this DPA Applies
Company provides Customer the services described in the Agreement (the “Services”). Pursuant to the Agreement, Company may process Personal Data of individuals who utilize the Services. Company and Customer have agreed to execute this DPA to comply with the Data Protection Laws with respect to such processing.
Terms and Conditions
1. Definitions.
All capitalized words not otherwise defined herein will have the meaning set forth in the Agreement.
1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with another entity.
1.2 “Authorized Person” means such person(s) as shall be nominated by the Customer from time to time in writing to Company to act on Customer’s behalf under this DPA.
1.3 “Authorized Subprocessor” means any Affiliate of the Company or Subprocessor who is either (1) listed in Exhibit B or (2) authorized by Customer to process Customer Data.
1.4 “Customer” means the non-Company party to both the Agreement and this DPA that has access to the Services.
1.5 “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal Data and on the free movement of such data.
1.6 “Data Controller,” “Data Subject,” “Supervisory Authority,” “Data Processor,” “Business” and “Service Provider” (and plurals and grammatical variants of each) have the meaning given to these terms by the Data Protection Laws.
1.7 “Data Protection Laws” means all data protection and privacy laws and regulations to the extent applicable to the parties and the processing of Personal Data under the Agreement including where applicable: the GDPR, UK GDPR and UK Data Protection Act 2018 (in respect of the United Kingdom), and the Swiss DPA as may be amended, superseded or replaced from time to time.
1.8 “DPA Effective Date” means (i) the Effective Date of the Agreement, or (ii) the date on which Company receives a fully completed and executed copy of this DPA, if this DPA is executed independently of the Agreement.
1.9 “EEA” or “European Economic Area” means the European Union countries together with Iceland, Liechtenstein and Norway. It does not include Switzerland or the United Kingdom.
1.10 “EU SCCs” means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Standard Contractual Clauses” Section below.
1.11 “Europe” means for the purposes of this DPA, the European Economic Area, Switzerland and the United Kingdom.
1.12 “Personal Data” means all data which is defined as ‘personal data’, ‘personal information,’ or ‘sensitive data’ in the Data Protection Laws, and which is provided by Customer to Company as a Data Processor and is accessed, stored, or otherwise processed by Company in the course of providing the Services pursuant to the Agreement, to the extent such data qualifies for protection under the Data Protection Laws.
1.13 “Processing,” “process”, “processes” and “processed” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.14 “Restricted Transfer” means (a) when the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination from the European Commission; (b) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council; and (c) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17 A of the United Kingdom Data Protection Act 2018.
1.15 “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
1.16 “Standard Contractual Clauses” or “SCC” means the EU SCC or the UK SCC, as applicable.
1.17 “Sub-processor” means third party subcontractors Company may retain from time to time that provide services to Company necessary for Company to perform its obligations under the Agreement.
1.18 “Swiss DPA” means the Swiss Federal Data Protection Act as may be amended, superseded or replaced from time to time
1.19 “UK GDPR” means the retained EU law version of the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendment etc) (EU Exit) Regulations 2019 (SI 2019/419).
1.20 “UK SCCs” means the international data transfer addendum to the European Commission’s Standard Contractual Clauses (Addendum) issued under section 119 A of the Data Protection Act 2018.
2. Details of Data Processing.
2.1 Subject matter. The subject matter of the data processing under this DPA is the Personal Data processed by Company pursuant to the Agreement.
2.2 Duration. Company will process Personal Data (i) for the duration of the Agreement; and (ii) for the period after the termination or expiry of the Agreement during which Company has surviving obligations that require it to process such Personal Data or the Customer continues to store such Personal Data on Company’s systems.
2.3 Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Customer under the Agreement.
2.4 Nature of the processing. Company will compute, store and provide such other Services as described in the Agreement and initiated by Customer from time to time.
2.5 Type of Customer Data. Personal Data uploaded to the Services under Customer’s Company accounts or by Company at Customer’s direction including:
2.5.1 Basic and contact data: name, organization, title, postal address, email address, telephone number, and fax number; and
2.5.2 Network or usage data: such as such as the data subject’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages used/visited, the time and date of the visit or use, the time spent on those pages or features of Company, unique device identifiers and other diagnostic data.
2.6 Categories of data subjects. The data subjects may include Customer’s customers, employees, suppliers, end-users and third parties whose Personal Data is obtained through the Services.
3. Processing of Personal Data.
The parties agree to the following with respect to any processing of Personal Data under this DPA:
3.1 For the purposes of the Data Protection Laws, the Customer shall be the Data Controller and the Company shall be the Data Processor.
3.2 Company will process the Personal Data in accordance with Customer’s documented instructions and for no other purpose. Such instructions to be set forth pursuant to (a) this DPA and the Agreement, including Customer’s instructions to correct, amend, delete or to stop processing Personal Data, (b) as directed and documented by Customer through the Services, and (c) in accordance with the requirements of Article 28 of GDPR. The parties agree that this DPA and the Agreement set out the Customer’s complete and final documented instructions to Company in relation to the processing of Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Company. The Customer shall ensure that any Authorized Person is fully aware of the terms of the Agreement and this DPA such that the Company shall be entitled to assume that any instructions given to the Company by any Authorized Person under this DPA or the Agreement, shall be given with the Customer’s full authority. The Customer acknowledges and agrees that the Company shall not be under any duty to investigate the completeness, accuracy or sufficiency of any instructions given to the Company by the Customer or any Authorized Person.
3.3 Company will disclose Personal Data to employees who provide to Company services necessary to fulfill Company’ obligations under the Agreement and who have agreed to use and protect such Personal Data as required under the Agreement and this DPA, and for no other purpose.
3.4 Company will ensure that any person who is authorized by Company to process Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty). Company will ensure such personnel are aware of the confidential nature of the Personal Data and have received appropriate training on the handling of Personal Data and on their responsibilities in relation to the processing of Personal Data.
3.5 Company will notify Customer within seventy-two (72) hours if, after a prompt initial investigation, Company or its Sub-processors confirm the actual or high likelihood of the occurrence of a Security Incident or of any processing of Personal Data in a manner inconsistent with the terms of the Agreement and this DPA, and to provide reasonable assistance to Customer with respect to any Security Incident (including without limitation cooperating with Customer with respect to notification of Supervisory Authorities and communicating to Data Subjects regarding a Security Incident). In addition, unless prohibited by applicable law, Company shall: (i) cooperate with Customer in good faith as to whether Data Subjects are notified of a Security Incident and what such notifications provide; (ii) not notify any Data Subject or third party of the Security Incident (except law enforcement authorities and third-parties engaged by Company to assist with the investigation or remediation of any such Security Incident) prior to notifying Customer of the Security Incident as required under this Section; and (iii) take all reasonable steps to eliminate or contain the exposure of Personal Data affected by the Security Incident.
3.6 Company shall provide such reasonable assistance as the Customer may reasonably request in relation to data protection or privacy impact assessments and with any prior consultation with a supervisor authority which the Customer considers necessary pursuant to Articles 35 and 36 GDPR respectively. The Company’s assistance shall in each case be limited to the processing of Personal Data under this DPA.
3.7 Company will promptly notify Customer upon Company’ or its Sub-processors’ receipt of any request for disclosure of Personal Data from a government entity or court of law of competent jurisdiction, or pursuant to a subpoena (unless otherwise prohibited by law) and will refrain from disclosing Personal Data in response to the same unless and until Customer has advised Company whether or not it will contest the request for disclosure (unless otherwise prohibited by law).
3.8 Company will promptly notify Customer upon Company’ or its Sub-processors’ determination that it can no longer meet its obligation to provide the level of protection to Personal Data required under the Agreement and this DPA.
3.9 Upon notice by Customer, where Customer has determined Company is not processing data in accordance with the Agreement and this DPA, Company will take reasonable and appropriate steps to stop and remediate such unauthorized processing.
3.10 Company will not, without Customer’s prior written approval, collect, use, retain, or process Personal Data for any purposes other than for the specific purposes set forth herein. For the avoidance of doubt, Company will not process Personal Data outside of the direct business relationship between Customer and Company, unless the Company is required by any applicable law to which the Company is subject, to process Personal Data for any other purposes (in which case the Company shall, to the extent permitted by such applicable law, use reasonable efforts to inform the Customer of such legal requirement before making such processing).
3.11 Company certifies that it understands its restrictions and obligations set forth in this DPA and will comply with them.
3.12 At the written direction of the Customer, Company will delete (and certify to the Customer that it has done so) or return the Personal Data and copies thereof to the Customer on termination of the Agreement unless legislation imposed on the Company prevents it from returning or destroying the Personal Data. If return or destruction of the Personal Data pursuant to this Section is impracticable or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.
3.13 Company will maintain complete and accurate records and information to demonstrate its compliance with this Section 3 and allow for audits by the Customer or Customer’s designated auditor.
4. Sub-processors.
4.1 Customer acknowledges and agrees that Company may (1) engage Authorized Sub-processors to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data.
4.2 Company shall notify Customer before engaging any third party other than Authorized Sub-processors to access or participate in the processing of Personal Data. Customer may object to such an engagement in writing within ten (10) days of receipt of the aforementioned notice by Company. If Customer does not object to the engagement of a third party in accordance with Section 4.3 within ten (10) days of notice by Company, that third party will be deemed an Authorized Sub-processor for the purposes of this DPA.
4.3 If Customer reasonably objects to an engagement in accordance with Section 4.2, Company shall provide Customer with a written description of commercially reasonable alternative(s), if any, to such engagement. If Company, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, Company may terminate the Agreement. Termination shall not relieve Customer of any fees owed to Company under the Agreement.
4.4 Company shall ensure that all Authorized Sub-processors have executed confidentiality agreements that prevent them from disclosing or otherwise processing, both during and after their engagement by Company, any Personal Data.
4.5 Company shall, by way of contract or other legal act under European Union or European Union member state law (including without limitation approved codes of conduct and Standard Contractual Clauses), ensure that every Authorized Sub-processor is subject to obligations regarding the processing of Personal Data that are no less protective than those to which the Company is subject under this DPA.
4.6 Company shall be liable to Customer for the acts and omissions of Authorized Sub-processors to the same extent that Company would itself be liable under this DPA had it conducted such acts or omissions.
4.7 If Customer and Company have entered into either the EU SCCs and/or the UK SCCs, (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by Company of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Authorized Subcontractors that must be provided by Company to Customer pursuant to Clause 5(j) of the Standard Contractual Clauses may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by the Company beforehand, and that such copies will be provided by the Company only upon request by Customer.
4.8 If Company wishes to rely on Standard Contractual Clauses as the mechanism for transferring Personal Data to an Authorized Sub-processor in any country or territory outside the European Economic Area, the Customer authorises the Company to enter into Standard Contractual Clauses with such Authorized Sub-processor in the Customer’s name and on its behalf. The Company will make the executed Standard Contractual Clauses available to the Customer on request.
5. Cooperation.
Where Company processes the Personal Data under or in connection with the performance of its obligations under the Agreement, Company shall:
5.1 taking into account the nature of the processing and the information available to Company, reasonably assist Customer to fulfil Customer’s obligations under Data Protection Laws:
5.1.1 where possible, to respond to requests from Customer concerning Data Subjects exercising their rights in Personal Data under Data Protection Laws (e.g., access, rectification, erasure, data portability, etc.). If a request is sent directly to Company, Company will inform the requester to contact the Customer which is responsible for their Personal Data and will not otherwise respond to the request. In the event Company is unable to delete Personal Data for reasons permitted under the Data Protection Laws, Company shall (i) promptly inform Customer of the reason(s) for its inability to fulfil the deletion request, and (b) ensure the continued privacy, confidentiality and security of such Personal Data; and
5.1.2 with respect to Articles 32 to 36 of the GDPR.
5.2 Make available to Customer all information reasonably requested by Customer for the purpose of demonstrating that Customer’s obligations relating to the appointment of Data Processors as set out in Article 28 of the GDPR have been met and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
5.3 If changes in Data Protection Laws result in new material obligations as it relates to Company’s assistance under this Section, the parties will work together in good faith to agree upon an acceptable resolution. Each Party shall be responsible for its own costs incurred in relation to its obligations under this Section.
6. Customer Responsibilities
6.1 Customer agrees that (i) it shall treat Personal Data that it receives, collects or processes as part of its obligations under the Agreement, whether from Company or from Customer’s end users, in accordance with Data Protection Laws; (ii) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to Company; and (iii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Company to process Personal Data and provide the Services pursuant to the Agreement and this DPA.
6.2 In particular, but without limiting the foregoing, Customer acknowledges and agrees that it will be solely responsible for: (i) the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data; (ii) ensuring it has the right to transfer, or provide access to, the Personal Data to Company for processing in accordance with the terms of the Agreement; (iv) ensuring that Customer’s Instructions to Company regarding the processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. Customer will inform Company without undue delay if it is not able to comply with your responsibilities under this Section or applicable Data Protection Laws.
6.3 Customer is responsible for independently determining whether the data security that Company offers adequately meets Customer’s obligations under applicable Data Protection Laws. Customer is also responsible for its secure use of the Services, including protecting the security of Personal Data in transit to and from Company and the Services (including to securely backup or encrypt any such Personal Data).
7. Security and Confidentiality.
Company shall implement and maintain appropriate technical and organizational security measures necessary to meet the requirements of Article 32 of the GDPR including Company’s security standards described in Exhibit A (“Information Security Addendum”). Company shall ensure that any person it authorizes to process Personal Data (including its staff, agents and subcontractors) shall be subject to the duty of confidentiality (whether a contractual or statutory duty) that shall survive the termination of their employment and/or contractual relationship.
8. International Data Transfers.
8.1 International Transfers. The parties acknowledge and agree that a “transfer” of Personal Data includes but is not limited to (a) the storing of Personal Data on servers located/co-located outside Europe;(b) appointing a Sub-processor located outside those jurisdictions or granting access rights to any of the Company’s personnel who are located outside the EEA or UK. Customer hereby consents to the transfer of Personal Data by Company provided Company complies with the obligations of this DPA.
8.2 Data Transfer Mechanism. To the extent that Company processes any Personal Data protected by Data Protection Laws under the Agreement and/or that originates from the European Economic Area, Switzerland or United Kingdom in a country that has not been designated by the European Commission (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that Company shall be deemed to provide adequate protection (within the meaning of Data Protection Laws) for any such Personal Data by implementing appropriate safeguards in accordance with applicable Data Protection Laws. Such appropriate safeguards may include, but are not limited to, having in place Binding Corporate Rules, Standard Contractual Clauses, processing in a manner consistent with the APEC Cross Border Privacy Rules System, or adhering to a certification mechanism, a contractual mechanism or code of conduct which has been approved by an applicable supervisory authority.
8.3 Alternative Data Transfer Mechanisms. Transfer mechanisms, other than those outlined in Section 8.2 above, that are approved under Data Protection Laws can be relied upon if applicable. The parties agree to use commercially reasonable efforts to put these alternative mechanisms in place, where required, and to amend this DPA as necessary to ensure compliant transfer mechanisms should there be a change in Data Protection Laws. In particular, if applicable Standard Contractual Clauses are amended, replaced, or repealed by the European Commission or under Data Protection Laws, the parties will work together in good faith to enter into any updated version of applicable Standard Contractual Clauses or negotiate in good faith a solution to enable an international transfer of Personal Data to be conducted in compliance with Data Protection Laws.
9. Standard Contractual Clauses.
To the extent that the transfer of Personal Data from Customer to Company is a Restricted Transfer and the applicable Data Protection Laws require that appropriate safeguards are put in place, and SCCs are the transfer mechanism, the applicable SCCs shall be incorporated by reference into and form an integral part of this DPA as follows:
9.1 With respect to Personal Data transferred from the European Economic Area, the EU SCCs shall apply and form part of this DPA. For purposes of the EU SCCs, they shall be deemed completed as follows:
9.1.1 Customer acts as a controller and Company acts as Customer’s processor with respect to the Personal Data subject to the EU SCCs, and its Module 2 applies.
9.1.2 Under Clause 7 (the optional docking clause) is not included.
9.1.3 Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of Sub-processors is set forth in Exhibit B, and Company shall provide notice of any changes to that list through the addition or replacement of Sub-processors at least 10 days in advance.
9.1.4 Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
9.1.5 Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of the applicable EU Member State.
9.1.6 Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of the applicable EU Member State.
9.1.7 Annexes I and II of the EU SCCs are set forth in Schedule A below.
9.1.8 Annex III of the EU SCCs (List of sub-processors) is inapplicable.
9.2 With respect to Personal Data transferred from the United Kingdom, the UK SCCs apply and shall be incorporated into and form an integral part of this DPA and shall apply to transfers governed by the UK GDPR. For purposes of the UK SCCs, they shall be deemed completed as follows:
9.2.1 The “exporter” is the Customer, and the exporter’s contact information is set forth in the Agreement.
9.2.2 The “importer” is Company, and Company’ contact information is set forth in the Agreement.
9.2.3 Table 2 of the UK SCCs shall be completed as stated in Section 9.2 above.
9.2.4 “Appendix Information” as defined in the UK SCCs shall incorporate the information stated in Exhibit A and Schedule A attached to this DPA.
9.2.5 By entering into this DPA, the Parties are deemed to be signing the UK SCCs and their applicable Appendices.
9.3 This Section sets out the parties’ interpretation of their respective obligations under specific clauses of the EU SCCs as identified below. Where a party complies with the interpretations set out in this Section, that party shall be deemed by the other party to have complied with its commitments under the EU SCCs.
9.3.1 Clauses 8.3 of the EU SCCs: Customer agrees that the EU SCCs constitute Company’ Confidential Information as that term is defined in the Agreement and may not be disclosed by Customer to any third party without Company’ prior written consent unless permitted pursuant to the Agreement. This shall not prevent disclosure of the EU SCCs to a Data Subject pursuant to the applicable Clauses.
9.3.2 Clause 9 of the EU SCCs: Customer agrees that after Customer receives notice of an intended addition or replacement of a Sub-processor, Company and Customer will have a commercially reasonable period of time to cooperate in good faith to address the objection. If Company is unable to address the objection to Customer’s satisfaction, then Customer’s sole and exclusive remedy is to terminate the Agreement. If Customer terminates pursuant to this Section, then all fees owed by Customer to Company for the then-current term of the Agreement will immediately become due. If Customer does not object to the Sub-processor, then Customer hereby provides authorization to the use of such Sub-processor for the purposes of providing services under the Agreement.
9.3.3 Clause 9(c) of the EU SCCs: Customer agrees that the copies of the Sub-processor agreements may be provided only upon reasonable request, and only once annually (unless requested by a supervisory authority).
9.3.4 Clause 8.9(c), (d) of the EU SCCs: An “audit” as described therein will be carried out as follows. Upon request by Customer, and subject to the confidentiality obligations of the Agreement, Company will make available to Customer the security information Company generally makes available to its customers (including audit reports), so that Customer can verify Company’ compliance with the audit standards against which it has been assessed, and this DPA. In the event an on-site review is required by a supervisory authority or is otherwise reasonably requested by Customer, Customer and Company will mutually agree upon the scope, timing, and duration of such on-site review. On-site audits will be carried out during normal business hours at Customer’s expense and without disrupting Company’ business operations. In general, Customer is allowed to conduct one audit per calendar year. However, this does not affect the Customer’s right to conduct further audits in the event of special occurrences (e.g. Security Incidents).
9.3.5 Clause 12 of the EU SCCs: Any claims brought under the EU SCCs (as applicable) shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
9.3.6 Clauses 8.5 and Clause 16(d) of the EU SCCs: Certification of deletion of Personal Data will only be conducted upon Customer’s request.
9.4 With respect to Personal Data transferred from Switzerland, the EU SCCs will apply with the following modifications: (a) references to “Directive 95/46/EC” or “Regulation (EU) 2016/679” are interpreted as references to the Swiss DPA ; (b) references to specific articles of “Regulation (EU) 2016/679” are replaced with the equivalent article or section of the Swiss DPA; (c) references to “EU”, “Union” and “Member State” are replaced with “Switzerland” (d) Clause 13 (a) and Part C of Annex II are not used and references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information and the relevant courts of Switzerland; (e)in Clause 18 (b) disputes will be resolved before the courts of Switzerland.
9.5 The rights and obligations afforded by Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. The parties do not intend to contradict or restrict any of the provisions of the Standard Contractual Clauses and accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement including this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.
10 Miscellaneous.
10.1 If at any time during the term of this DPA the European Commission, the UK’s Information Commissioner’s Office or any relevant supervisory authority adopts any controller-to-processor standard clauses or similar terms forming part of an applicable certification scheme, whether or not relating to the transfer of personal data outside the EEA, either party may request that this DPA shall be reviewed with a view to adopting the same in whole or in part.
10.2 Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of the DPA will control.
10.3 This DPA shall remain in full force and effect until the earlier of (i) the expiration or termination of the Agreement and (ii) the mutual agreement of the parties to terminate.
EXHIBIT A
Information Security Addendum
This Information Security Addendum (“Addendum”) describes the technical and organizational measures implemented by Company to ensure an appropriate level of security and supplements and forms part of the Agreement and the DPA. In the event of a conflict between the terms of the Agreement and this Addendum, the terms of the Agreement will apply. Capitalized terms used but not defined herein will have the meaning set forth in the Agreement.
1. Access Control.
1.1 Preventing Unauthorized Product Access
1.1.1 Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the services under the Services Agreement in accordance with the Agreement. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
1.1.2 Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
1.1.3 Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
1.1.4 Authorization: Customer data is stored in multi-tenant storage systems accessible to customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
1.1.5 Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
1.2 Preventing Unauthorized Product Use. We implement industry standard access controls and detection capabilities for the internal networks that support its products.
1.2.1 Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
1.2.2 Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
1.2.3 Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.
1.2.4 Penetration testing: We maintain relationships with industry recognized penetration testing service providers for annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
1.3 Limitations of Privilege & Authorization Requirements
1.3.1 Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
1.3.2 Background checks: All Data Processor employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All Data Processor employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
2. Transmission Control.
2.1 In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on our products. Our HTTPS implementation uses industry standard algorithms and certificates.
2.2 At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.
3. Input Control.
3.1 Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
3.2 Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.
4. Availability Control.
4.1 Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.5% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
4.2 Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
4.3 Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
4.4 Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
EXHIBIT B
List of Sub – processors
Sub-processor Name |
Processing Activity |
Location |
Appropriate Safeguard (if outside EEA) |
Salesforce |
Customer Support |
US |
SCCs |
AWS |
Data Storage |
US |
SCCs |
DocuSign |
Electronic Signature |
US |
SCCs |
Microsoft |
Various Office Applications |
US |
SCCs |
Mindtickle |
Sales Enablement |
US |
SCCs |
Zoom |
Virtual Conferencing |
US |
SCCs |
Datavail |
Database Administration |
US |
SCCs |
SCHEDULE A
Annex I of the EU SCCs
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
Data exporter:
Name: The data exporter is the Customer specified in the Agreement.
Address: As specified in the Agreement.
Activities relevant to the data transferred under these Clauses: Obtaining the Services from data importer.
Role (controller/processor): Controller
Data importer:
Name: RMG Enterprise Solutions, Inc. dba Korbyt
Address: 15301 Dallas Pkwy, Addison, TX 75001
Contact person’s name, position and contact details: George Clopp, Chief Technology Officer, George.clopp@korbyt.com, 972.744.3961.
Activities relevant to the data transferred under these Clauses: Providing the Services to data exporter.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
Categories of data subjects whose personal data is transferred
Data exporter’s customers, employees, suppliers, end-users and third parties whose Personal Data is obtained through the Services.
Categories of personal data transferred
The data exporter may submit Personal Data to Company, the extent of which is determined and controlled by the data exporter in its sole discretion. Such Personal Data may include basic contact data (name, organization, title, postal address, email address, telephone number), usage data (browser and device information, operating system, device type, system and performance information, app usage data, information collected through cookies) of data exporter’s users, as well as any other types of Personal Data that data exporter or its users may enter into the Services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None anticipated.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuously for the length of the Agreement between the parties.
Nature of the processing
Personal data transferred will be processed to (i) provide Services to the data exporter and fulfil the data importer’s obligations under the Agreement; (ii) provide customer support to the data exporter; and (iii) in compliance with applicable law.
Purpose(s) of the data transfer and further processing
To (i) provide Services to the data exporter and fulfil the data importer’s obligations under the Agreement; (ii) provide customer support to the data exporter; and (iii) in compliance with applicable law.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Personal data shall be retained for the length of time necessary to provide Services under the Agreement, or as otherwise required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Company’ sub-processors will process personal data to assist Company in providing the Services pursuant to the Agreement, for as long as needed for Company to provide the Services.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13.
The parties shall follow the rules for identifying such authority under Clause 13.
Annex II of the EU SCCs
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
MODULE TWO: Transfer controller to processor
Please see Exhibit A of the DPA, which describes the technical and organizational security measures implemented by Company.