Data Processing Addendum
OPTI9 DATA PROCESSING ADDENDUM
(with EU Standard Contractual Clauses)
This Data Processing Addendum (together with Exhibit 1 and its Appendices, the “Addendum“) is between Opti9 Technologies, LLC, a Delaware Company (“Opti9”) and the customer signing below (the “Customer”) with respect to the existing Master Services Agreement between Opti9 and Customer (the “Agreement”) and the services provided to Customer by Opti9 thereunder (the “Services”) Opti9 and Customer are each a “party” and together the “parties”.
The purpose of this Addendum is to address the Customer’s compliance obligations under the European Union General Data Protection Regulation (“GDPR”) and other Applicable Data Protection Law.
Article 4 of the GDPR classifies those who handle data as “data controllers” or “data processors”. A data controller is “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while a data processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller.” “Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Article 2 of the GDPR, “Scope,” provides in part, “[t]his Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.” Under those articles, as a general rule, Opti9 is not liable for the information placed on its network by its customers. This protection from liability is incorporated into the GDPR by Article 2. By entering into this Addendum, Opti9 does not intend to admit, or imply, that Opti9 is obligated to comply with any Applicable Data Protection Law in connection with Services that are beyond the scope of such laws or in connection with which Opti9 is otherwise protected from liability. This Addendum is therefore applicable only if and to the extent that an Applicable Data Protection Law applies to the Processing of any Personal Data by Opti9 for Customer or End Users in relation to the Services (“Customer Personal Data”).
HOW TO EXECUTE THIS ADDENDUM. This Addendum, including Exhibit 1, have been pre-signed on behalf of Opti9. Customer must complete, sign and return a copy of the Addendum to legal@Opti9tech.com. This Addendum shall only be effective on the date that Opti9 provides Customer with an acknowledgement of receipt of the signed Addendum. Upon the effective date, the Agreement shall be deemed amended to incorporate this Addendum and (if applicable) Exhibit 1 shall take effect.
- DEFINED TERMS. For the purposes of this Addendum, the following definitions apply and shall prevail as to any conflict with definitions under the Agreement:
“Applicable Data Protection Law” means the EU General Data Protection Regulation (EU) 2016/679 (“Regulation”), in each case together with any transposing, implementing or supplemental legislation; and “Personal Data“, “Process/Processing“, “Controller“, “Processor“, and “Data Subjects” shall have the meanings given to them in Applicable Data Protection Law.
“CCPA ” means the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., and its implementing regulations.
“Customer System” means an information technology system (including hardware and software) which is the subject of the Services or to which the Services relate.
“End Users” means Customer’s own customers or other persons who utilize the Services pursuant to Customer’s Agreement for the processing of Personal Data.
“Model Clauses” means the standard contractual clauses (processors) for the transfer of personal data set out in the EU Commission Decision of 5 February 2010 (2010/87/EC); and “subprocessor”, “Data Importer”, and “Data Exporter” shall have the meanings given to them in the Model Clauses.
“Personal Information” means any data or information that relates to an identified or identifiable natural person, to the extent that such information is protected as “personal data” or “personal information ” (or an analogous variation of such terms) under applicable U.S. Data Protection Laws.
“Security Incident” means a breach or failure of Opti9 security leading to (i) accidental or unlawful destruction of Customer Personal Data or (ii) loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
“Service Provider” has the meaning set forth in Section 1798.140(v) of the CCPA.
“Transfer Protections” means, in relation to a transfer of Customer Personal Data outside the EEA (including any such transfers to Opti9 and/or to subprocessors of Opti9), measures to enable the transfer to be made in compliance with Applicable Data Protection Law, including without limitation where the recipient of such data: (i) has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, (ii) has executed standard contractual clauses adopted or approved by the European Commission (including Model Clauses under this Addendum), or (iii)has in place an alternative mechanism that complies with Applicable Data Protection Law for the transfer of Personal Data outside the European Union.
“U.S. Data Protection Laws” means all laws and regulations of the United States of America, including the CCPA, applicable to the processing of Personal Information.
- PROCESSING OF PERSONAL DATA AND PARTIES’ OBLIGATIONS. Each party agrees to comply with the obligations that apply to it under Applicable Data Protection Law.
2.1 Processing of Customer’s Personal Data. The parties agree that, in respect to any Processing of Customer Personal Data through the provision or use of the Services:
- Customer may act as either a Controller or a Processor with respect to Customer Personal Data. Opti9 is a Processor where Customer is a Controller, or a subprocessor when Customer is a Processor;
- The subject matter of the Processing is Opti9’s provision and Customer’s use of the Services and the detection, prevention and resolution of security and technical issues as provided for in the applicable Agreement;
- As between Opti9 and Customer, the duration of the Processing is determined by Customer but shall not extend past the termination of the Agreement;
- The purpose of the Processing is to provide Services to Customer under the Agreement and the detection, prevention and resolution of security and technical issues as provided for in the applicable Agreement and any purposes compatible therewith;
- The type of Personal Data Processed is any Personal Data provided or made available to Opti9 by or on behalf of Customer or End User through the use or provision of the Services; and
- The categories of Data Subjects are those whose Personal Data are provided or made available to Opti9 by or on behalf of Customer or any End User through the use or provision of the Services.
2.2 Opti9’s Responsibilities.
2.2.1 Opti9 shall Process Customer Personal Data only on Customer’s documented instructions, including with regard to transfers of personal data to a third country or an international organization (instructions on which are set out in section 2.2.4 below), unless required to do so by applicable law to which Opti9 is subject; in such a case, Opti9 shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The parties agree that this Addendum, the Agreement and Customer’s configuration and use of the Services together constitute Customer’s complete and final documented instructions to Opti9 on the Processing of Customer Personal Data;
2.2.2 Opti9 shall ensure that all Opti9 personnel (including staff, agents and subcontractors) who Opti9 authorizes to Process Personal Data are subject to a duty of confidentiality (whether contractual or statutory); and
2.2.3 Opti9 shall maintain and implement technical and organizational measures appropriate (having regard to the state of technological development and cost of implementation) to the risk of, and to seek to protect Customer Personal Data against, any Security Incident. Such measures shall include, as appropriate: (a) the pseudonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. At a minimum, such measures shall include those set out in the Agreement. In relation to the security of Customer Systems, the Customer agrees that those security practices and security Services otherwise detailed in the Agreement are appropriate for Customer Personal Data (and satisfies Opti9’s obligation under this sub-section), in conjunction with the Customer’s obligations regarding security measures set out in the Agreement;
2.2.4 Opti9 shall not transfer any Customer Personal Data outside of the European Economic Area unless it has taken steps to ensure Transfer Protections, but subject to such Transfer Protections Customer agrees that Customer Personal Data may be Processed in countries where Opti9 or its subprocessors maintain facilities or personnel as necessary so that Opti9 may fulfill its obligations under the Agreement;
2.2.5 Opti9 shall respond to any Data Subject request to exercise their rights, or any other Data Subject query, regarding Customer Personal Data, by either asking the Data Subject to make their request to Customer or notifying the Customer of the same. Opti9 shall assist the Customer in respect of the rights of Data Subjects as follows (and the Customer agrees that this sub-section 2.2.5 only applies to the extent Customer does not itself hold or otherwise have access to the Customer Personal Data, and to the extent to which it is possible for Opti9 to provide such assistance taking into account the nature of the Processing):
220.127.116.11 assist the Customer to respond to any request from a Data Subject to exercise any of her or his rights under Applicable Data Protection Law (including rights of access, correction, objection, erasure and data portability, as applicable) by providing technical measures to provide Customer, in a manner and to the extent consistent with the functionality of the Services and Opti9’s role as Processor, with the ability itself to access, correct, erase, restrict or export Customer Personal Data. In respect of Customer Personal Data which the Customer receives, stores, or transmits on or using the Customer System, the parties agree that the sole assistance Opti9 shall provide is to permit the Customer, in a manner and to the extent consistent with the functionality of the Services and Opti9’s role as Processor, with the ability itself to access, correct, erase, restrict or export Customer Personal Data. In respect of other Customer Personal Data, at Customer’s reasonable request and expense, Opti9 shall provide reasonable and timely further assistance to Customer to respond to any such Data Subject requests.
18.104.22.168 provide reasonable and timely assistance to Customer, at Customer’s reasonable request and expense, to respond to any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of Customer Personal Data.
2.2.6 If Opti9 becomes aware of a confirmed Security Incident, Opti9 will inform Customer without undue delay and provide reasonable information (to the extent that such information is known or available to Opti9) and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Opti9 shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of material developments in connection with the Security Incident. In respect of Customer Personal Data which the Customer receives, stores, or transmits on or using the Customer System, the parties agree that (i) Opti9’s obligations under this subsection 2.2.6 shall be limited to the extent consistent with the functionality of the Services and Opti9’s role as Processor, the monitoring and security Services purchased by the Customer, and the parties’ respective security obligations under the Agreement; (ii) Opti9 shall be under no obligation to notify Customer of routine security alerts in respect of the Customer System (including without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers, or similar incidents) except as otherwise specifically required by the Agreement; (iii) Opti9’s remediation and mitigation obligations shall be limited to Security Incidents arising out of breach by Opti9 of its security obligations set out in the Agreement and (iv) Opti9’s assistance shall be at the Customer’s expense except where the Security Incident is caused by breach by Opti9 of its security obligations in the Agreement;
2.2.7 Customer acknowledges that Opti9 has no knowledge of the Customer Personal Data received, stored, or transmitted on or using the Customer System. Accordingly, taking into account the nature of the Processing and the information available to Opti9, Opti9 shall assist Customer in ensuring compliance with Customer’s obligations pursuant to data protection impact assessments and prior consultation under Applicable Data Protection Law by providing (at Customer’s expense) the audit reports specified in the Agreement and the security tools included in the Services, if any. If Opti9 believes or becomes aware that its Processing of Customer Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall inform Customer and provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law;
2.2.8 Opti9 shall enable Customer to retrieve and/or delete Customer Personal Data before any termination of the Agreement. Customer instructs Opti9, after the end of the provision of the Services, to delete all Customer Personal Data in Opti9’s possession or control, including existing copies thereof, but this requirement shall not apply to the extent Opti9 is required by applicable law to retain all or some of the Customer Personal Data or to Customer Personal Data Opti9 has archived on backup systems, which data Opti9 shall securely isolate and protect from any further processing except to the extent required by such law until such time as the relevant back-up is destroyed in accordance with Opti9’s standard backup destruction policies; and
2.2.9 Opti9 shall maintain records required by Applicable Data Protection Law and information to demonstrate its compliance with Applicable Data Protection Law in relation to its Processing of Customer Personal Data; and provide to the Customer audit reports as otherwise specified in the Agreement to demonstrate compliance.
2.3 Subprocessing. The following provisions shall apply in relation to any subprocessing.
2.3.1 Customer authorizes Opti9 to engage third party subcontractors and/ or resellers (including but not limited to, Amazon, Microsoft and Google) as subprocessors in connection with the provision of the Services to Customer. The parties agree that: (i) Opti9 shall maintain and make available to the Customer an up-to-date list of its subprocessors, giving the Customer notice of any change in subprocessors prior to any new subprocessor being authorized to Process any Customer Personal Data by updating the list accordingly; (ii) Opti9 shall impose written data protection terms on any subprocessor it appoints that require it to Process any Customer Personal Data only to the extent necessary to provide the services for which it has been engaged by Opti9 (and for no other purpose) and to protect the Customer Personal Data to at least the standard required by this Addendum and Applicable Data Protection Law; and (iii) Opti9 shall remain liable for any breach of this Addendum that is caused by an act, error or omission of its subprocessor. Customer may object to Opti9’s appointment or replacement of a subprocessor by terminating its use of the affected Services for convenience on giving written notice in the manner provided in the Agreement (save that the period of notice given by Customer shall be 7 days, and notice must given by Customer within 7 days’ of Opti9’s notice of appointment or replacement) as its sole and exclusive remedy, without prejudice to any fees incurred by Customer for those Services before any such notice of termination takes effect; and such notice of termination shall be ineffective if Opti9 notifies Customer that the proposed appointment or replacement shall not be effective to the Customer prior to expiry of the Customer’s notice of termination.
2.3.2 Customer agrees to Opti9 giving any such subprocessors access to Customer’s Customer System so that Opti9 or Opti9 can deliver the Services under the Agreement. Customer further agrees that those subprocessors may be based outside of the state, province, country, or other jurisdiction in which Customer has chosen to store Customer Personal Data, subject to Opti9 taking steps to ensure Transfer Protections if transfers are made to those subprocessors. Opti9 requires that its subprocessors maintain security and data protection practices that are consistent with the Agreement.
2.4 Customer Responsibilities. Customer undertakes that its instructions to Opti9 as its Processor and its use of the Services for processing Customer Personal Data will each (i) comply with privacy laws or regulations applicable to its Processing of Customer Personal Data, including Applicable Data Protection Law, and (ii) not cause Opti9 to infringe Applicable Data Protection Law. The Customer will ensure that it has all necessary consents, notices and other requirements in place to enable lawful Processing of the Customer Personal Data by Opti9 for the duration and purposes of this Agreement.
In respect of data which the Customer receives, stores, or transmits on or using the Customer System (i) in addition to Customer’s obligations stated in the Agreement, the Customer is responsible for the integrity, security, maintenance and appropriate protection of Customer Personal Data, and ensuring its compliance with any privacy laws and regulations applicable to its own Processing of the Customer Personal Data and its use of the Services, including Applicable Data Protection Law; (ii) Customer controls how Customer Personal Data is stored, classified, exchanged, or otherwise Processed when using the Services; (iii) Customer may select the territory in which it stores and Processes Customer Personal Data and may implement and maintain, or purchase supplementary services from Opti9 or Opti9, in order to put in place those technical and organizational security measures appropriate to the nature and volume of Customer Personal Data that Customer Processes using the Service.
2.5 Service Provider. To the extent Opti9 receives Personal Information from Customer, Opti9 acknowledges and agrees that it is the Service Provider and receives the Personal Information pursuant to the business purpose of providing the Services to Customer.
2.6 No Information Selling. Opti9 acknowledges and agrees that (i)Opti9 does not receive any Personal Information as consideration from Customer for any services or other items provided or performed by Opti9 for Customer. Opti9 does not and will not sell (as such term is defined under applicable U.S. Data Protection Law) any Personal Information received from Customer or any of Customer users of the Service (“Authorized Users”) pursuant to the Agreement; (ii) Opti9 does not and will not retain, use, transmit or disclose any Personal Information received from Customer or Customer’s Authorized Users pursuant to the Agreement except to the extent necessary to perform the Services under the Agreement or as otherwise permitted by the CCPA; (iii) Opti9 does not and will not retain, use, transmit or disclose any Personal Information obtained from Customer or Customer’s Authorized Users pursuant to the Agreement for any commercial purpose other than providing the Services pursuant to the Agreement; and (iv) Opti9 does not and will not retain, use, transmit or disclose any Personal Information obtained from Customer or Customer’s Authorized Users outside of the direct business relationship with Customer.
2.7 Certification. Opti9 certifies that it understands and agrees to comply with the obligations and restrictions set forth in this Addendum.
- APPLICATION OF AND CLARIFICATION TO EXHIBIT 1. The parties agree that the Model Clauses set out in Exhibit 1 apply only if (i) Customer Personal Data to which Applicable Data Protection Law applies is transferred to Opti9 or its subprocessors located in a country that is outside of the EEA, and (ii) no Transfer Protections other than Model Clauses have been provided.
3.1 Relationship. The parties acknowledge that for the purposes of the Model Clauses (where applicable under this Addendum), Opti9 is acting in the capacity of either (i) a Data Importer when Customer is established in the EEA, or (ii) a subprocessor of Customer when Customer is located outside the EEA and is acting in its capacity as a Data Importer to its End Users. Opti9 will comply with the obligations of the Data Importer or subprocessor in the Model Clauses as applicable.
3.2 For the purposes of Processing and the transfer of Customer Personal Data from the EEA to Opti9, the applicable Clauses in Exhibit 1 shall be supplemented with the following sections 3.2(a) and 3.2(b). Such supplementary language addresses practical and operational issues and does not modify the Model Clauses: (a) Clause 5(f) and 12(2) of the Model Clauses Audit Rights. Customer agrees that the audit described in Clauses 5(f) and 12(2) shall be carried out in accordance with the following provision: Opti9 or Opti9 shall engage qualified third party auditors to perform examinations of its systems and services for the purpose of auditing Opti9’s compliance with ISO 27001; and/or equivalent industry standards (the resulting output of such audit activities referred to as “Third Party Audit Reports”). Opti9’s annual Service Organization Control (“SOC”) report(s) or suitable equivalent standard(s) as specified by Opti9 are available to Customer upon Customer’s request subject to Opti9’s SOC distribution requirements. Subject to the terms of the Agreement and upon Customer’s request with not less than 30 days’ notice, Opti9 agrees (at Customer’s expense) to permit Customer to perform reviews of the security of the Services or evaluate and monitor Opti9’s compliance with its security obligations set forth under the Addendum (the “Customer Audits”). Customer Audits may be conducted by the internal or external auditors or personnel of Customer who have entered into a nondisclosure agreement with Opti9 or Opti9 (collectively, “Auditors”). Such Customer Audits shall be conducted strictly in accordance with Opti9’s security policies and procedures and consistent with industry best practices and shall be limited to the security aspects of those Opti9 operated data centers in which the server(s) on which Customer Personal Data is located which are not covered by the Third Party Audit Reports or SOC reports. Customer Audits are limited to viewing those Services that the Customer is using under the Agreement. Such scope does not include (i) viewing any documentation, data or other information that are related to other customers of Opti9 or Opti9, or (ii) interacting with data center or power equipment in any way that may interfere with the performance of or could otherwise pose a risk to the Services, as determined by Opti9 or Opti9 in its sole discretion. Opti9 agrees to cooperate in a commercially reasonable manner with the Auditors and provide the Auditors with commercially reasonable assistance as they may reasonably request in connection with the Customer Audit provided that the Auditors avoid disrupting Opti9’s operations during the Customer Audits. In the event that Customer requests a Customer Audit more than once in a twelve (12) month period, any additional Customer Audits will be performed at Customer’s sole cost and Customer will reimburse Opti9 for its reasonable costs associated with such additional Customer Audits. In addition, if any Customer Audit will have a duration of more than three (3) hours or exceed the agreed upon scope (including a request to audit any control that has already been covered in an independent audit report), Customer agrees to tender to Opti9 an amount equal to Opti9’s projected costs associated with the Customer Audit as a condition precedent to permitting Customer to conduct such Customer Audit. (b) Clause 5(h) and 11 of the Model Clauses — Subprocessing. In accordance with Clause 5(h) and Clause 11, Customer acknowledges and agrees that Opti9 may engage subprocessors as provided in section 2.3.
3.3 Where the Model Clauses contain any obligation to notify the Data Exporter, Opti9 shall make such notification to Customer. When Customer acts in the capacity as Data Importer, Customer agrees to make any required notifications to the Data Exporter.
- GENERAL PROVISIONS
4.1 Conflicting Terms. To the extent the Model Clauses are applicable, the Model Clauses in Exhibit 1 supersede any conflicting terms in the Agreement and this Addendum as to the specific subject matter of Exhibit 1. To the extent that any provision of the Addendum conflicts with any provision of any other document(s) comprising the Agreement, the terms of the Addendum shall, as to the specific subject matter of the Addendum, take precedence over the conflicting term(s) of such other document(s).
4.2 Governing Law. To the extent any claim arises under Model Clauses in relation to the processing by Opti9 of Personal Data that Customer stores or otherwise processes using the Services (including any claims by a Data Subject pursuant to Clause 3 of Model Clauses), the Model Clauses shall be governed by and construed in accordance with Clause 9 (Governing Law) of the Model Clauses. The parties agree that, save as provided above, nothing in this Addendum shall affect the application of the governing law section of the Agreement, which applies to all other claims brought under the Agreement and this Addendum.
4.3 Limitation of Liability. Customer agrees to exercise its remedies arising out of or related to this Addendum and the Model Clauses solely against Opti9 (and Opti9 accepts liability accordingly). Customer’s remedies arising out of or related to this Addendum and the Model Clauses will be subject to those limitations of liability which apply to Customer under the Agreement and the aggregate liability to Opti9 under the Agreement, this Addendum and the Model Clauses in relation to the Processing of Customer Personal Data shall not exceed the lesser of (i) the maximum liability of Opti9 to Customer under the Agreement or (ii) one million dollars (US$1,000,000). This Section 4.3 shall not vary Clause 6 of Model Clauses. Opti9 is not liable for any claim brought by Customer or any third party (including without limitation any Data Subject, or regulatory or supervisory authority) arising from their compliance with Customer’s instructions.
4.4 Third Party Beneficiaries. Notwithstanding anything to the contrary in the Agreement, where Opti9 receiving a transfer of Customer Personal Data is not a party to the Agreement, Opti9 will be a third party beneficiary of the Agreement and of this Addendum (including without limitation section 4.3). Opti9 and Customer further agree that, with the exception of (a) Exhibit 1 to which the Data Subjects are third-party beneficiaries, and (b) those provisions of the Agreement that are relevant to the services provided by Opti9 and to which Opti9 is a beneficiary, the Agreement does not confer any rights to any End Users, Data Subjects, or any other third party. This Addendum does not establish any direct rights of Customer’s respective End Users against Opti9 regarding the delivery of the Services.
4.5 No further amendment. All terms and conditions in the Agreement save as amended herein remain in full force and effect and are binding upon the parties.
4.6 Modification. Opti9 may amend or supplement this Addendum, after giving prior notice to the Customer, if and to the extent necessary to comply with applicable law or requirement of any supervisory, regulatory or governmental authority; to implement any standard contractual clauses adopted by the European Commission or a supervisory authority under the Regulation; to comply with any certification granted to Opti9 under the Regulation; or to adhere to a code of conduct approved under the Regulation.
- TERM AND TERMINATION
5.1 This Addendum and the Model Clauses will terminate contemporaneously and automatically with the termination or expiration of the Agreement.
5.2 Opti9 may terminate the Model Clauses (where applicable under section 3) if Opti9 offers alternative mechanisms to Customer that comply with Applicable Data Protection Law regarding the transfer of Customer Personal Data outside the EEA.
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, the Customer that is a party to the Addendum to which these Standard Contractual Clauses are attached and Opti9 have agreed on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
- ‘personal data, ‘special categories of data, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- ‘the data exporter’ means the controller who transfers the personal data;
- ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf alter the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
- ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
- ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
- ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
- that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
- that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
- that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
- that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
- that it will ensure compliance with the security measures;
- that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
- to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 6(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
- to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
- that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
- that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
- any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
- any accidental or unauthorised access, and
- any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
- that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
- that the processing services by the subprocessor will be carried out in accordance with Clause 11; to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter,
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- 1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
- to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
- to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
Attached as Exhibit 1 to the Addendum
This Appendix forms part of the Clauses
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Terms used in this Appendix 1 have the meaning given to them in the Data Processing Addendum to which these Standard Contractual Clauses have been appended.
DATA EXPORTER: means Customer or its End Users located in the EEA,
DATA IMPORTER: Where Customer transfers to Opti9 any Customer Personal Data to which Applicable Data Protection Law applies, the term “data importer’ means Opti9. Where a non-EEA Customer imports Personal Data on behalf of its End Users located in the EEA, the term “data importer” means Customer.
The DATA SUBJECTS, CATEGORIES OF DATA and PROCESSING OPERATIONS are as set out in section 2.1 of the Addendum.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
Attached as Exhibit 1 to the Addendum
This Appendix forms part of the Clauses
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Opti9 utilizes a 3rd party service to screen all new employees and to verify credentials. New and existing employees are trained in security awareness, HIPAA compliance, and industry recognized best practices via systems they manage via a Litmos online training system. The system also ensures employees are re-certified on a bi-annual basis for all internal SOPs and technical procedures.
A vendor & contractor screening procedure exist to ensure proper vetting of any 3rd party allowed within Opti9 facilities. Access is escorted and granted only temporarily.
Physical security to Opti9’s facilities is ensured via 24×7 on-site FTEs, and 2 factor authentication including bio-metrics and card access. A mantrap exists to the physical data center.
All visitors must use an iPad based access system where their picture and contact details is recorded on a per visit basis. Customers may audit for their employee visits on-demand. Staff also verifies physical ID on a per-visit basis and holds physical identification for the duration of the visit.
Opti9 ensures surveillance cameras on every row & area of its data centers with 90-day retention. Customers may request access to camera data for relevant areas.
Managed servers are patched via centralized patch management system based upon Spacewalk for Linux based platforms and Kaseya for Windows based platforms. Servers are patched and rebooted based on standard operating procedures.
Opti9 utilizes a hardware & software version asset tracking system to ensure it’s notified of important vulnerability or upgrades available to critical infrastructure. Updates are performed based upon pre-determined scheduling standards tied to platform importance. Critical updates are scheduled immediately, while non-critical updates are scheduled to predefined windows.
Opti9’s strategy & philosophy in regards to cyber security is cloud and disaster recovery providers must be Managed-Security-Service-Provider (MSSP) agnostic. Customers can provide their own security providers, utilize Opti9, or manage directly.
Opti9 has encouraged multiple MSSPs to deploy within its physical footprints so that the Customers may engage with them directly and privately within the data center via cross connects “behind the firewall”. This further enhances Opti9’s eco-system of managed services and allows the Customers to have multiple options when looking at security vendors who can provide private and “air-gapped” security services.
Opti9 itself contracts directly with an MSSP which is deployed within its footprint and provides 24×7 SOC services such as threat monitoring, mitigation, vulnerability scanning, and penetration testing on its core infrastructure, network, NOC network, and management network. Using a best in breed MSSP coupled with Opti9’s traditional managed security services and automated DDoS response helps prevent cyberattacks.
Opti9 also utilizes a 3rd party MSSP for:
- Network and application penetration testing: Annual
- Assets/Vulnerability: Quarterly
- Real-time Cyber security monitoring.
Auditing & Controls:
Opti9 is audited for SOC2 compliance via an independent 3rd party and has no exceptions listed within the reports. Opti9 also maintains auditing and compliance with the defined standards for HIPAA, CJIS, FISMA, NYS DFS 500, and PCI.
Intrusion detection & 4. Intrusion prevention
IDS & IPS is provided via a multi-layer approach:
- All public network traffic is monitored via a Netflow monitoring service which detects traffic anomalies based upon known signatures, standard deviation, and Opti9 configured properties.
- Private cross connects exist to multiple internal and external DDoS Monitoring and mitigation services. The configuration automatically detects, notifies, and blocks volumetric and application specific attacks.
- The Network edge is configured to protect against known reflection attacks such as DNS, NTP, CLDAP, SNMP and others.
- An internal RTBH (Real-Time-Black-Hole) service allows for multiple security systems to inject network wide blackholing of abusive addressers into the network.
- Edge firewall devices provide inherent IDS/IPS functionality, blocking, and reporting.
- Edge firewall devices are configured with a multitude of dynamic blocking rules to detect and block network-wide scans as well as known signature based attacks.
- Edge firewalls are configured to receive data from multiple 3rd party blacklist services.
- Opti9 staff members are segment on a per-staff, per VLAN basis to ensure proper segmentation.
- Customers are segmented on physical devices per VLAN/vxlan.
- A 3rd party MSSP provides 24×7 SOC services to Opti9, which receives data directly via Opti9’s edge firewall devices, routers, and centralized logging systems. The MSSP provides 15-minute response SLA SOC services for human interpretation of potential threats.