DATA PROCESSING ADDENDUM
This Data Processing Addendum ("DPA") is incorporated into and a part of the Agreement between RecordLinker and Customer.
1. Duration and Scope of DPA
(a) This Addendum applies solely to RecordLinker's Processing of Personal Information in the course of providing the Services. As to such Personal Information, RecordLinker acts as a "service provider" or "processor" under Applicable Privacy Laws, and Customer acts as the "business" or "controller". This DPA will remain in effect so long as RecordLinker Processes Personal Information, notwithstanding the expiration or termination of the Agreement.
2. Customer Instructions
RecordLinker will Process Personal Information only on documented, lawful instructions from Customer, including those set forth in the Agreement and Customer's use and configuration of the Services. By entering into this DPA, Customer instructs RecordLinker to Process Personal Information to provide the Services and to perform its other obligations and exercise its rights under the Agreement, including without limitation to (a) carry out any benefits, rights and obligations relating to the Services; (b) maintain records relating to the Services; and (c) comply with any legal or self-regulatory obligations relating to the Services. Customer agrees RecordLinker may create and derive from Processing related to the Services, anonymized and/or aggregated data that does not identify Customer or any natural person and use, publicize, or share with third parties such data to improve RecordLinker's products and services and for its other legitimate business purposes. RecordLinker will promptly notify Customer if, in RecordLinker's opinion, an instruction infringes Applicable Privacy Laws, and may decline to follow such instruction until the parties agree on a compliant alternative.
3. No Sale or Sharing; Targeted Advertising and Profiling
RecordLinker will not "sell" or "share" Personal Information as those terms are defined under the Applicable Privacy Laws.. RecordLinker will not Process Personal Information for targeted advertising, cross‑context behavioral advertising, or for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, except strictly as necessary to provide the Services on Customer's documented instructions. RecordLinker will not retain, use, or disclose Personal Information for any purpose other than to provide the Services, nor outside the direct business relationship between RecordLinker and Customer.
4. Combination and Secondary Use
RecordLinker will not combine Personal Information with personal information obtained from RecordLinker's other customers or from RecordLinker's interactions with the same individuals, except (a) as permitted by Applicable Privacy Laws for limited business purposes such as detecting security incidents; protecting against malicious, deceptive, fraudulent, or illegal activity; debugging to identify and repair errors; maintaining or improving the quality or safety of the Services; or (b) as expressly instructed by Customer, provided that such combining does not constitute a sale or sharing under the Applicable Privacy Laws. and does not repurpose the data beyond the Services.
5. Security
(a) RecordLinker Security Measures. Taking into account the nature of Processing and the risks to individuals, RecordLinker will implement and maintain appropriate technical and organizational measures designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such information (the "Security Measures") as described in Annex 1 (Security Measures). RecordLinker may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Personal Information.
(b) Information Security Incidents. RecordLinker will notify Customer without undue delay of any Information Security Incident of which RecordLinker becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate risks to Customer's data and steps RecordLinker recommends Customer take to address the Information Security Incident. The occurrence of an Information Security Incident or RecordLinker's notification of or response to an Information Security Incident does not constitute and will not be construed as RecordLinker's acknowledgement or admission of any breach of its obligations, fault, or liability with respect to the Information Security Incident. "Information Security Incident" means the unauthorized acquisition or disclosure of Personal Information maintained by RecordLinker under the Agreement. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
(c) Customer's Security Responsibilities and Assessment
(i) Customer's Security Responsibilities. Customer agrees that, without limiting RecordLinker's obligations under Section 4 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Information; (b) securing Access Protocols, systems and devices Customer and its Authorized Users use to access the Services; (c) securing Customer's systems and devices that Process Personal Information; and (d) backing up Personal Information.
(ii) Customer's Security Assessment. Customer agrees that the Services, the Security Measures and RecordLinker's commitments under this DPA are adequate to meet Customer's needs, including with respect to any security and data protection obligations Customer may have under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Personal Information.
6. Data Subject Rights
(a) RecordLinker's Data Subject Request Assistance. RecordLinker will (taking into account the nature of the Processing of Personal Information) provide Customer with assistance reasonably necessary for Customer to perform its obligation under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws ("Data Subject Requests") with respect to Personal Information in RecordLinker's possession or control. Assistance beyond standard product capabilities, support channels, and reasonable efforts may be provided as professional services subject to mutually agreed fees.
(b) Customer's Responsibility for Requests. If RecordLinker receives a Data Subject Request, RecordLinker will advise the data subject to submit the request to Customer and Customer will be responsible for responding to any such request.
7. Subprocessors
(a) Authorization. Customer grants RecordLinker a general authorization to engage third parties as subprocessors to support the provision of the Services. RecordLinker will impose data protection obligations on each subprocessor that are no less protective than those set out in this Addendum and will remain responsible for each subprocessor’s performance.
(b) Current List. The current list of subprocessors engaged in Processing Personal Information for the applicable Services, including a description of their processing activities and countries of location, is set forth in the Sub‑Processor Documentation available in the RecordLinker Trust Center (https://trustcenter.recordlinker.com/). Customer hereby consents to the subprocessors identified in such Sub‑Processor Documentation, including their locations and processing activities, as they relate to Customer’s Personal Information.
(c) Notification of New Subprocessors. The Sub‑Processor Documentation contains a mechanism through which Customer may subscribe to notifications of new subprocessors. If Customer subscribes, RecordLinker will notify Customer of any intended new subprocessor before authorizing that subprocessor to Process Customer’s Personal Information. Customer may object to a new subprocessor on reasonable, documented security grounds by providing written notice to RecordLinker within fifteen (15) days after receipt of RecordLinker’s notice. If the Parties cannot in good faith resolve the objection, Customer may terminate the affected Services as its sole and exclusive remedy, without fault to either Party. Customer’s continued use of the Services will constitute Customer’s acceptance of each new subprocessor.
8. Deletion, Return, and Retention
Upon expiration or termination of the Services, RecordLinker will delete Personal Information from systems under its control within sixty (60) days, subject to (a) legal obligations requiring retention and (b) retention within industry‑standard backup and archival systems, which will be overwritten in the ordinary course of RecordLinker's standard retention cycles. Upon Customer's written request, RecordLinker will provide a written certification of deletion.
9. Audit and Verification
Customer may take reasonable and appropriate steps to verify RecordLinker's compliance with its obligations as a Service Provider under the Applicable Privacy Laws. Upon written request, RecordLinker shall make available information reasonably necessary to demonstrate such compliance, which may include written responses to security and privacy questionnaires and, if available, summaries of independent third‑party audits or certifications (e.g., SOC 2). Any verification activities shall be subject to RecordLinker's confidentiality, security, and operational requirements and shall not require RecordLinker to disclose proprietary information, system logs, or information that would compromise the security or integrity of the Services.
10. Sensitive Personal Information
(a) Prohibition. Customer shall not provide or otherwise make available as part of the Customer Content any: Social Security numbers or other government-issued identification numbers; protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other personally identifiable information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; individual health insurance information; biometric information; passwords to any online accounts; credentials to any financial accounts; tax return data; credit card or payment card information subject to the Payment Card Industry Data Security Standard; or Personal Information of children under 13 years of age (collectively, "Sensitive Personal Information"). In the event that either party becomes aware that any Sensitive Personal Information has been inadvertently included in the Customer Content, the parties shall work together to promptly delete such Sensitive Personal Information from the Customer Content. Notwithstanding the foregoing, Customer acknowledges that RecordLinker shall not have any affirmative obligation to search for or ascertain whether Sensitive Personal Information is present in the Customer Content. Customer shall indemnify RecordLinker and hold RecordLinker harmless from any claims arising from the inclusion of Sensitive Personal Information in Customer Content transmitted to RecordLinker.
(b) Exception. The foregoing restriction on the inclusion of Sensitive Personal Information in Customer Content shall not apply to Customer Content that is reasonably anticipated to be Processed as part of the Customer’s system conversion in connection with the use of the RecordLinker Cognition offering.
11. Miscellaneous
(a) Liability Cap. Each party's liability in connection with this DPA will be limited to the limitations of liability and other liability caps agreed to by the parties in the Terms of Service.
(b) Conflict. Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern.
(c) General. Notwithstanding anything in the Agreement or any Order entered in connection therewith to the contrary, the parties acknowledge and agree that the provision of Personal Information to RecordLinker does not constitute a sale or consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by RecordLinker to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to RecordLinker's primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
Annex 1 to DPA
Security Measures
1. Organizational management responsible for the development, implementation and maintenance of RecordLinker's information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to RecordLinker's organization, monitoring and maintaining compliance with RecordLinker's policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Information that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that RecordLinker's passwords that are assigned to its employees: (a) be at least eight (8) characters in length, (b) not be stored in readable format on RecordLinker's computer systems; (c) must have defined complexity; and (d) newly issued passwords must be changed after first use.
6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
7. Physical and environmental security of data centers, server room facilities and other areas containing Personal Information designed to: (a) protect information assets from unauthorized physical access, (b) manage, monitor and log movement of persons into and out of RecordLinker's facilities, and (c) guard against environmental hazards such as heat, fire and water damage.
8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from RecordLinker's possession.
9. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to RecordLinker's technology and information assets.
10. Incident management procedures design to allow RecordLinker to investigate, respond to, mitigate and notify of events related to RecordLinker's technology and information assets.
11. Patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
12. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.