DATA PROCESSING ADDENDUM
This Data Processing Addendum (including the annexes attached hereto) (“DPA”) forms a part of, and is incorporated by reference into, the Terms and Conditions (the “Agreement”) between the party identified as the Customer in the Terms and Conditions (“Customer”) and RecordLinker Inc. (“RecordLinker”). All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.
(a) Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
(b) Information Security Incident means a breach of RecordLinker’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in RecordLinker’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
(c) Security Measures has the meaning given in Section 4(a) (RecordLinker’s Security Measures).
(d) Subprocessors means third parties that RecordLinker engages to Process Personal Data in relation to the Service.
- Duration and Scope of DPA
(a) This DPA will remain in effect so long as RecordLinker Processes Personal Data, notwithstanding the expiration or termination of the Agreement.
(b) Annex 1 (California Annex) to this DPA applies only to the Processing of Personal Data subject to the CCPA with respect to which Customer is a Business (as defined in CCPA).
- Customer Instructions
(a) RecordLinker will Process Personal Data only in accordance with Customer’s instructions. By entering into this DPA, Customer instructs RecordLinker to Process Personal Data to provide the Service and to perform its other obligations and exercise its rights under the Agreement, including without limitation to (i) carry out any benefits, rights and obligations relating to the Service; (ii) maintain records relating to the Service; or (iii) comply with any legal or self-regulatory obligations relating to the Service. Customer acknowledges and agrees that RecordLinker may create and derive from Processing related to the Service, anonymized and/or aggregated data that does not identify Customer or any natural person and use, publicize, or share with third parties such data to improve RecordLinker’s products and services and for its other legitimate business purposes.
(a) RecordLinker Security Measures. RecordLinker will implement and maintain technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data (the “Security Measures”) as described in Annex 2 (Security Measures). RecordLinker may update the Security Measures from time to time, provided the updated measures do not decrease the overall protection of Personal Data.
(b) Information Security Incidents. RecordLinker will notify Customer without undue delay of any Information Security Incident of which RecordLinker becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps RecordLinker recommends Customer take to address the Information Security Incident. RecordLinker’s notification of or response to an Information Security Incident will not be construed as RecordLinker’s acknowledgement of any fault or liability with respect to the Information Security Incident.
(c) Customer’s Security Responsibilities and Assessment
(i) Customer’s Security Responsibilities. Customer agrees that, without limitation of RecordLinker’s obligations under Section 4 (Security), Customer is solely responsible for its use of the Service, including (a) making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; (c) securing Customer’s systems and devices that RecordLinker uses to provide the Service; and (d) backing up Personal Data.
(ii) Customer’s Security Assessment. Customer agrees that the Service, the Security Measures and RecordLinker’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Personal Data.
- Data Subject Rights
(a) RecordLinker’s Data Subject Request Assistance. RecordLinker will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary for Customer to perform its obligation under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in RecordLinker’s possession or control. Customer shall compensate RecordLinker for any such assistance at RecordLinker’s then-current professional services rates, which shall be made available to Customer upon request.
(b) Customer’s Responsibility for Requests. If RecordLinker receives a Data Subject Request, RecordLinker will advise the data subject to submit the request to Customer and Customer will be responsible for responding to any such request.
- Customer Responsibilities
(a) Customer shall not provide or otherwise make available as part of the Customer Content any Social Security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords to any online accounts; credentials to any financial accounts; tax return data; any payment card information subject to the Payment Card Industry Data Security Standard; or personal data of children under 13 years of age (“Sensitive Personal Information”). In the event that either party becomes aware that any Sensitive Personal Information has been inadvertently included in the Customer Content, the parties shall work together to promptly delete such Sensitive Personal Information from the Customer Content. Notwithstanding the foregoing, Customer acknowledges that RecordLinker shall not have any affirmative obligation to search for or ascertain whether Sensitive Personal Information is present in the Customer Content.
(a) Liability Cap. The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with Agreement, or this DPA combined, will be limited to the limitations on liability or other liability caps agreed to by the parties in the Agreement.
(b) Conflict. Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern.
(c) General. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith to the contrary, the parties acknowledge and agree that RecordLinker’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by RecordLinker to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to RecordLinker’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Service-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
ANNEX 1 TO DPA
- For purposes of this Annex 1, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information governed by the CCPA.
- It is the parties’ intent that with respect to any personal information, RecordLinker is a service provider. RecordLinker shall not (a) sell any personal information; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Service, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Service; or (c) retain, use or disclose the personal information outside of the direct business relationship between RecordLinker and Customer. RecordLinker hereby certifies that it understands its obligations under this Section 2 and will comply with them.
- The parties acknowledge that RecordLinker’s retention, use and disclosure of personal information authorized by Customer’s instructions stated in the DPA are integral to Vendor’s provision of the Services and the business relationship between the parties. The exchange of Personal Data does not form part of the consideration exchanged between the parties in respect of the Agreement or any other business dealings.
ANNEX 2 TO DPA
- Organizational management responsible for the development, implementation and maintenance of RecordLinker’s information security program.
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to RecordLinker’s organization, monitoring and maintaining compliance with RecordLinker’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
- Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that RecordLinker’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on RecordLinker’s computer systems; (iii) must have defined complexity; and (iv) newly issued passwords must be changed after first use.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity.
- Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of RecordLinker’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
- Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from RecordLinker’s possession.
- Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to RecordLinker’s technology and information assets.
- Incident management procedures design to allow RecordLinker to investigate, respond to, mitigate and notify of events related to RecordLinker’s technology and information assets.
- Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures.
- Patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.