Data Processing Addendum
THIS DATA PROCESSING ADDENDUM (“ADDENDUM”) IS DATED AS OF THE EFFECTIVE DATE, AS IDENTIFIED ON THE INITIAL ORDER FORM BETWEEN CUSTOMER AND FASTPATH SOLUTIONS, LLC.
BETWEEN
(1) The Customer identified on the initial Order Form, which is incorporated and registered in the country, with the company number, and at the registered office, each as identified on the Order Form (the “Customer”); and
(2) Fastpath Solutions, LLC incorporated in the State of Delaware, USA with company number 7992588, whose principal office is at 4093 NW Urbandale Drive / Urbandale, IA 50322 (“Fastpath”).
BACKGROUND
A. Customer and Fastpath entered into a Subscription Services Agreement for certain services as identified on the Order Form by Fastpath (“Subscription Agreement”) that may require Fastpath to process Personal Data (as defined below) on behalf of the Customer ancillary to those services.
B. Customer is the Controller of Personal Data.
C. Fastpath is the Processor of Personal Data.
D. This Addendum sets out the additional terms, requirements, and conditions on which Fastpath will process Personal Data when providing services under the Subscription Agreement.
1. DEFINITIONS. For the purposes of this Addendum only (unless expressly incorporated elsewhere in the Subscription Agreement), capitalized terms not defined herein have the meaning given to those terms in the Subscription Agreement. To the extent there is a conflict between the definitions in this Addendum and any definition in the Subscription Agreement, the definitions in this Addendum shall control with regard to this Addendum only.
1.1 “Affiliate” means, with respect to a party, that party’s parents, subsidiaries or any other entity that directly or indirectly Controls, is Controlled by, or is under common Control with that individual, organization or entity at any time during the Term. “Control” (including, with correlative meanings, the terms “Controlled by” and “under common Control with”), means the possession, directly or indirectly, of the power to direct or exercise a controlling influence over the management or policies of such entity, whether through the ownership of voting securities or by contract.
1.2 “Applicable Data Protection Law” means (i) all applicable laws, rules, regulations, including subsequent amendments, that relate to privacy, confidentiality, security, consumer protection, or breach notification that are applicable to Personal Data and (ii) all industry standards concerning privacy, data protection, confidentiality or information security applicable to Personal Data. Applicable Data Protection Laws include, but are not limited to, the GDPR, UK GDPR, and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), as amended, by the California Privacy Rights Act (“CPRA”).
1.3 “Controller” means a person or entity that, alone or jointly with others, determines the purposes and means of the processing of Personal Data. A Controller includes “businesses,” “controllers,” “data owners,” and other similar terms under Applicable Data Protection Laws that refer to persons or entities that determine the purposes and means of the processing of Personal Data.
1.4 “Data Subject Access Request” means a request pertaining to Personal Data from a Data Subject to exercise its rights pursuant to Applicable Data Protection Laws.
1.5 “Personal Data” means all information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, to an identified or identifiable natural person (“Data Subject”) or household, which is provided to Fastpath by or on behalf of Customer in connection with the Subscription Agreement. Without limiting the generality of the foregoing, Personal Data includes any information that constitutes: “personally identifiable information”; “personal data”; “protected data”; or any similar category of information or data protected under Applicable Data Protection Laws. Personal Data excludes any information that has been anonymized or de-identified in accordance with Applicable Data Protection Laws.
1.6 “Personal Data Breach” means any actual or reasonably suspected misuse, compromise, or unauthorized, accidental, or unlawful access, disclosure, acquisition, destruction, loss, or alteration of Personal Data, including, without limitation, any circumstance pursuant to which Applicable Data Protection Laws require either notification to be given to affected parties or other activity in response to such circumstance.
1.7 “Process” “Processed” or “Processing” (whether or not capitalized) (i) has the same meaning as in Applicable Data Protection Laws; and (ii) shall include any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, including, but not limited to, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.8 “Processor” means a person or entity that Processes Personal Data on behalf of a Controller. A Processor includes “service providers,” “processors,” “third-party service providers,” “third-party agents,” and other similar terms under Applicable Data Protection Laws that refer to persons or entities that process Personal Data on behalf of a Controller.
1.9 “Sub-processor” means any Processor engaged by Fastpath in support of Fastpath’s performance of its obligations under the Subscription Agreement.
2. TERM. The term of this Addendum shall commence on the Effective Date and continue until, and automatically expire upon, the return or deletion of all Personal Data as described in this Addendum.
3. PROCESSING OF PERSONAL DATA.
3.1 Customer Instructions. Customer discloses Personal Data to Fastpath as set forth in Schedule 1 ‑ Details of Processing of Personal Data, attached hereto (“Schedule 1”), and instructs Fastpath to Process Personal Data: (i) for the business purpose of Fastpath to perform the services in accordance with the Subscription Agreement, including this Addendum; and (ii) to comply with other reasonable written instructions provided by Customer where such instructions are consistent with the terms of the Subscription Agreement, including this Addendum, and with Applicable Data Protection Laws. If Fastpath believes or becomes aware that any of Customer’s instructions conflict with any Data Protection Law, Fastpath shall inform Customer without undue delay. As between the Parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data, the means by which Customer obtained the Personal Data, and for identifying a lawful basis for processing Personal Data. If Fastpath believes or becomes aware that it cannot meet its obligations under Applicable Data Protection Laws, it must notify Customer within five (5) business days of that determination.
3.2 Processor. Customer appoints Fastpath as a Processor to Process Personal Data. Fastpath shall process Personal Data only (i) in accordance with the documented instructions received from Customer, and (ii) for the purpose of fulfilling its obligations or exercising its rights under the Subscription Agreement. Fastpath may Process Personal Data other than on the written instructions of Customer if it is required under applicable law to which Fastpath is subject. In this situation, Fastpath shall inform Customer of such requirement before Fastpath Processes the Personal Data unless prohibited by applicable law.
3.3 Processor Personnel. Fastpath shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and are subject to obligations of confidentiality that survive the termination of the individual’s engagement with Fastpath. Fastpath shall ensure that access by Fastpath’s personnel to Personal Data is limited to those personnel performing Services in accordance with the Subscription Agreement.
3.4 No Sale or Sharing. Fastpath shall not sell or share any Personal Data, as those terms are defined in the Applicable Data Protection Laws. The Parties acknowledge and agree that (i) Customer has not and will not receive any monetary or other valuable consideration in exchange for Fastpath’s receipt of the Personal Data, and (ii) any consideration paid by Customer to Fastpath under the Subscription Agreement is only for Fastpath’s provision of the Services. Fastpath shall not collect, retain, use, process, or disclose the Personal Data (a) for any commercial purpose other than for the specific purpose of providing the services to Customer pursuant to the Subscription Agreement and as set forth in Schedule 1; or (b) outside of the direct business relationship between Fastpath and Customer.
3.5 Prohibited Data. Customer shall not provide to Fastpath or cause Fastpath to Process any protected health information as defined under the Health Insurance Portability and Accountability Act, also known as HIPAA, and its implementing regulations, as amended, unless otherwise expressly agreed to by Fastpath in the Subscription Agreement. If Fastpath does not expressly agree to process such information pursuant to the previous sentence, Fastpath has no obligations or liability with respect to such data. If Customer inadvertently provides or causes Fastpath to process any protected health information, Customer shall: (i) immediately notify Fastpath in writing; and (ii) take all necessary steps to assist Fastpath in removing protected health information from Fastpath’s systems.
4. ASSISTANCE.
4.1 Data Subject Access Requests. Where the Data Subject Access Request is received directly by the Customer and to the extent Customer does not have the ability to address such Data Subject Request using the resources available to Customer, Fastpath will provide commercially reasonable assistance as requested by Customer to enable Customer to respond to a Data Subject Access Request to the extent Fastpath is legally able to do so. If Fastpath receives a Data Subject Access Request directly, where Customer has been explicitly identified, Fastpath will promptly inform Customer within three (3) business days, and Fastpath shall not respond to such requests except as instructed by Customer, unless otherwise required by applicable law, including Applicable Data Protection Laws, provided, however, that Fastpath may: (i) confirm receipt; (ii) confirm that such request relates to Customer; (iii) direct such Data Subject to Customer; or (iv) take other action as may be necessary to comply with Applicable Data Protection Laws.
4.2 Regulatory Authorities. Fastpath will also assist Customer with the resolution of any request or inquiries that Customer receives from data protection authorities or regulators relating to Fastpath and, if and to the extent requested by Customer, cooperate with any authorities’ requests.
4.3 Data Privacy Impact Assessments. Upon Customer’s request, Fastpath shall, at Customer’s expense, provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR, UK GDPR, or other Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Fastpath.
5. SECURITY.
5.1 Security Program. Without limiting the security-related obligations under the Subscription Agreement and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Fastpath shall at all times have implemented and maintain a comprehensive written information security program (“Security Program”) that (i) complies with all Applicable Data Protection Laws; (ii) contains reasonable and appropriate administrative, operational, technical, physical and organizational measures that are designed to preserve and protect the security, integrity and confidentiality of Personal Data and protect Personal Data against Personal Data Breaches, and (iii) complies with any other specific requirements agreed upon by the parties under the Subscription Agreement.
5.2 No Degradation. Fastpath’s Security Program is subject to technical progress and further development, and Fastpath reserves the right to modify its Security Program at any time, provided, however, that Fastpath will not reduce or degrade the level of security provided to the protection of Personal Data without the approval of Customer.
6. LIABILITY. The limitations on liability, liability caps, and/or exclusions of certain types of damages as set forth in the Subscription Agreement shall apply to the subject matter of this Addendum and the parties’ related rights and obligations hereunder. Under no circumstances will a party be liable for any liabilities, claims, or amounts to the extent that such liabilities, claims, or amounts result from the other party’s acts or omissions.
7. PERSONAL DATA BREACH NOTIFICATION AND MANAGEMENT.
7.1 Notification. Fastpath will, without undue delay upon becoming aware of a Personal Data Breach, notify Customer of any Personal Data Breach, and take steps to remediate the Personal Data Breach. The obligations in this Section 7 do not apply to incidents that are caused by Customer, Customer’s personnel or end users, or to unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
7.2 Manner of Notification. Notifications of Personal Data Breaches, if any, will be delivered to one or more of Customer’s business, technical, or administrative contacts by means selected by Fastpath, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on Fastpath’s support systems at all times.
7.3 Contents of the Notification. To the extent feasible or known at the time of notification, Fastpath will provide the following details: (i) the nature of the Personal Data Breach; (ii) the categories and approximate number of Data Subjects impacted; (iii) to the extent reasonably possible, information regarding the Data Subjects and data records concerned; (iv) measures taken or proposed to be taken by Fastpath to address or remediate the Personal Data Breach; and (v) the name and contact details of Fastpath’s relevant contact from whom more information may be obtained.
7.4 No Admission. Fastpath’s notification of, or response to, a Personal Data Breach under this Section will not be construed as an acknowledgement by Fastpath of any fault or liability with respect to the Personal Data Breach.
8. SUB-PROCESSING.
8.1 Appointment of Sub-processors. Customer agrees that: (i) Fastpath’s Affiliates may be retained as Sub-processors; and (ii) Fastpath and Fastpath’s Affiliates may engage Sub-processors in connection with performance of its obligations under the Subscription Agreement. Fastpath or a Fastpath Affiliate shall impose substantially similar, but no less protective, data privacy and data security obligations as those in the Subscription Agreement and this Addendum on its Sub-processors prior to such Sub-processor Processing Personal Data. Fastpath shall be liable for the acts and omissions of its Sub-processors to the same extent Fastpath would be liable if performing the services of each Sub-processor directly under the terms of this Addendum, except as otherwise set forth in the Subscription Agreement.
8.2 List of Current Sub-processors and Notification of New Sub-processors. Upon request from Customer, Fastpath shall make available to Customer a list of Sub-processors, as may be updated from time to time. If Customer wishes to object to the approval of the new Sub-processor, it must provide such objection in writing to Fastpath within ten (10) days after receipt of Fastpath’s notice, and the Parties will work together in good-faith to address Customer’s objection. In the event that Customer objects to such new Sub-processor and such objection is not resolved within twenty (20) days of Fastpath’s receipt of such objection, Fastpath may terminate the applicable service by providing written notice of termination.
9. OBLIGATION AFTER THE TERMINATION OF PERSONAL DATA PROCESSING SERVICES.
9.1 Upon the expiration or termination of the Subscription Agreement (in whole or in part) for the services described therein and upon Customer’s written request, Fastpath will either delete or make available to Customer for retrieval all Personal Data (including copies, if applicable) in its possession or control, except to the extent that (i) Fastpath is required by applicable law, rules, regulations, directives, ordinances, codes or similar enactments and any obligations imposed by self-regulatory bodies promulgating standards to retain the Personal Data; or (ii) such Customer Data is archived in offline archives, “cold storage” systems, or physical or virtual system backups, which will be securely deleted and protected from further Processing in accordance with Fastpath’s standard deletion practices. Accordingly, Fastpath may retain such portion of Personal Data, provided that Fastpath (i) complies with the confidentiality, privacy, and data security provisions of the Subscription Agreement and this Addendum for as long as it retains such Personal Data, and (ii) deletes such Personal Data without undue delay once Fastpath is no longer subject to such requirement or Personal Data is retrieved from its archived state.
10. Compliance Assistance, Inspections, and Audits.
10.1 Audit Reports. Fastpath maintains security policies and, where appropriate, has obtained the third-party certification and audits demonstrating its compliance with the security measures set forth in Schedule 1 and/or Annex II, including but not limited to Service Organization Control (SOC) 1 Type II and SOC 2 Type II examinations. Upon Customer’s written request no more than once per year and subject to the confidentiality obligations set forth in the Subscription Agreement, Fastpath will provide a copy of Fastpath’s then most recent third-party audits or certifications (the “Reports”), as applicable, or any policies and summaries thereof, that Fastpath makes available to its customers. Requests for Reports and Audits (as defined below) must be sent to GDPR@gofastpath.com. Fastpath may satisfy such audit request by providing Customer with a confidential copy of a Report in order that Customer may reasonably verify Fastpath’s compliance with the technical and organizational measures as required under this Addendum.
10.2 Audits. To the extent a Report does not, in Customer’s reasonable judgment, provide sufficient information to demonstrate compliance with obligations under Applicable Data Protection Laws and this Addendum, Fastpath, upon written request from Customer, will allow an annual (once every twelve (12) months) remote audit to verify Fastpath’s and any of its Sub-processors’ compliance with obligations under Applicable Data Protection Laws and this Addendum (each an “Audit”), to be carried out either (i) by an independent third party audit firm bound by a duty of confidentiality selected by Customer and approved by Fastpath (which approval will not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority, or (ii) by a competent data protection authority. The Parties will mutually agree upon the scope and duration of, and the data protection controls applicable to, the Audit. Customer will notify Fastpath in writing with a minimum of ten (10) business days prior to any Audit being carried out. Customer will bear the costs of the Audit. If Customer requests Fastpath to incur out-of-pocket costs to assist Customer in the Audit, then Fastpath is entitled to a reasonable reimbursement for its costs of the Audit incurred by Fastpath, to be paid by Customer.
10.3 Limits on Auditing Party. Nothing in the Subscription Agreement or this Addendum will require Fastpath either to disclose to an independent auditor or Customer, or to allow an independent auditor or Customer to access: (i) any data of any other customer of Fastpath; (ii) Fastpath’s internal accounting or financial information; (iii) any trade secret of Fastpath; (iv) any premises or equipment not controlled by Fastpath; or (v) any information that, in Fastpath’s reasonable opinion, could: (a) compromise the security of Fastpath’s systems or premises; (b) cause Fastpath to breach its obligations under Applicable Data Protection Law or the rights of any third party, or (c) any information that an independent auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under Applicable Data Protection Law. Customer shall contractually impose, and designate Fastpath as a third-party beneficiary of, contractual terms that prohibit any independent auditor from disclosing the existence, nature, or results of any audit to any party other than Customer unless such disclosure is required by applicable law.
11. Europe Specific Provisions. To the extent Fastpath processes Personal Data subject to the GDPR, UK GDPR, and/or FADP, the following provisions shall also apply:
11.1 Definitions.
11.1.1. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992, as may be updated and amended from time to time.
11.1.2. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
11.1.3. “SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance) (the text of which is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). The SCCs are hereby incorporated into this Addendum to the extent the services contemplate the export of Personal Data from the European Union or Switzerland to jurisdictions not recognized by a competent data protection authority transferring jurisdiction as providing an adequate level of data protection without other safeguards.
11.1.4. “UK” means the United Kingdom of Great Britain and Northern Ireland.
11.1.5. “UK International Data Transfer Addendum” means United Kingdom’s Information Commissioner’s Office’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued pursuant to S119A(1) Data Protection Act 2018, and is incorporated into this Addendum and available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. The UK International Data Transfer Addendum, including but not limited to the Part 2: Mandatory Clauses, are hereby incorporated into this Addendum to the extent the services contemplate the export of Personal Data from the United Kingdom to jurisdictions not recognized by a competent data protection authority in the United Kingdom as providing an adequate level of data protection without other safeguards.
11.1.6. “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
11.2 Details of Processing. The subject-matter of Processing of Personal Data by Fastpath is the performance of the services pursuant to the Subscription Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data, and categories of Data Subjects Processed under this Addendum are further specified in Schedule 1.
12. International Transfers of Personal Data.
12.1 The parties agree to negotiate in good faith and enter into the appropriate data transfer agreements when required by Applicable Data Protection Laws.
12.2 Fastpath shall not transfer Personal Data to or from a jurisdiction whose Applicable Data Protection Laws restrict the transfer of Personal Data unless in accordance with (i) the documented Instructions from Customer, including this Addendum, and (ii) in accordance with Applicable Data Protection Laws.
12.3 In the event that Personal Data is required to be processed outside of the European Economic Area (“EEA”), Switzerland, or the UK, then the parties agree that:
12.3.1. with respect to transfers from the EEA and Switzerland, the SCCs will apply;
12.3.2. with respect to transfers from the UK, the UK International Data Transfer Addendum will apply; and
12.3.3. The SCCs and the UK International Data Transfer Addendum are incorporated into and form part of the Subscription Agreement and Addendum.
12.4 For the purposes of the SCCs, Module 2 will apply to the processing of Personal Data by Fastpath on behalf of Customer. Whereby:
12.4.1. Clause 7 (“Docking Clause”) shall apply.
12.4.2. Clause 9(a) Option 2 (“GENERAL WRITTEN AUTHORISATION”) shall apply with a ten (10) day period to object to the sub-processor. Section 6.2 shall control the notification process. See Annex III for list of current sub-processors.
12.4.3. Clause 11(a) (“Redress”) without the mentioned OPTION.
12.4.4. Clause 17 (“Governing Law”) Option 1 shall apply and shall reference the laws of France.
12.4.5. Clause 18 (“Forum Choice”) with the courts of Paris, France.
12.4.6. The parties will complete Schedule 1, which includes the information called for in the SCCs Annex I, Annex II, and Annex III. By executing the Addendum, the parties hereby execute Annex I, Annex II, and Annex III, to the extent applicable.
12.5 For transfers of Personal Data originating from Switzerland, (i) the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the data transfer is governed by FADP; (ii) references in the SCCs to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); and (iii) until the revised FADP enters into force, the SCCs will also protect the data of legal entities in Switzerland.
12.6 For the purposes of the UK International Data Transfer Addendum, the parties will complete Schedule 1, which includes the information called for in the UK International Data Transfer Addendum, including the information called for in the tables set out in Annex IV. By executing the Addendum, the parties hereby execute Annex IV, to the extent applicable.
12.7 If any term or provision of the Addendum or Subscription Agreement is contradictory or inconsistent with any term or provision of the SCCs or UK International Data Transfer Addendum (as applicable), then the terms and provisions of the SCCs or UK International Data Transfer Addendum that provide adequate protection for such Personal Data under Applicable Data Protection Laws shall control.
12.8 Fastpath shall provide Customer with all reasonable information necessary to allow Customer to obtain any applicable data transfer authorization in connection with the Services.
13. Change in Data Protection Laws. The parties may propose amendments to this Addendum, which the parties determine are required to satisfy the requirements of Applicable Data Protection Laws. The parties shall negotiate in good faith to agree and implement such revisions to address the requirements identified by a party as soon as practicable.
Schedule 1
Details of Processing of Personal Data
Controller / Data exporter
The data exporter will provide secure data from their source business software system as instructed by the data importer. This data will be provided to data importer for analysis and reporting as instructed by importer. The Data exporter will control all data provided and may make decisions on what data should be tracked and provided to data importer for analysis.
Processor / Data importer
The data importer is a US-based supplier of security and audit software solutions. It is making available a software-as-a-service to the data exporter and will host the data exporter’s data on servers in the USA, hosted through a sub-processor. Data importer will provide reporting and review functionality for use by data exporter.
Subject Matter and Duration of Processing Personal Data
The subject matter and duration of processing Personal Data are set out in the Subscription Agreement and this Addendum.
Categories of Data Subjects
The personal data transferred concern the following categories of data subjects:
- the data exporter’s staff
- the data exporter’scustomers
- the data exporter’scustomer’s staff
- the data exporter’svendors
- the data exporter’svendor’s staff
Categories of Personal Data
The personal data transferred concern the following categories of data:
- Personal details, where applicable, including:
- user name
- system ID and device data
- email address
- phone number and physical business address
- job title
- descriptions associated with job title
- No special categories of personal data are involved.
Additional data may be tracked by exporter for which the importer would not know the specific fields being tracked, as those must be chosen by exporter. These personal data fields would be in addition to the ones listed above.
Processing Operations
The personal data transferred will be subject to the following basic processing activities:
- Receiving data, including collection, accessing, retrieval, and recording
- Holding data, including storage, organization and structuring
- Using data, including analysis, reporting, and review
- Protecting data, including restricting, encrypting and security testing
- Returning data to the data exporter or data subject
- Erasing data, including destruction and deletion
The Frequency of the Transfer (e.g., is the data transferred on a one-off or continuous basis?):
There is no set frequency, but it is not continuous either; the data transfer is initiated on-demand according to the data subjects desire to provide his/her entitlement to access a particular service of discount, and therefore could be transferred only once or more than once.
Technical & Organizational Measures to Ensure the Security of the Data:
Measures taken by the Data Exporter / Controller: [________]
Measures taken by the Data Importer / Fastpath:
The Data Importer guarantees that the following technical and organizational measures pursuant to Article 32 of the GDPR have been taken:
- Data Importer has annual examinations conducted to review the suitability of the design and the operating effectiveness of the controls in place around personal security, system resiliency, system monitoring, information security, application change control, and data communications. Efforts include:
- Use of firewalls and monitoring.
- Secure configuration of hardware, devices, and software.
- Corporate policies and training ensure requirements are communicated throughout our organization.
- Control and segregation of access to data and services.
- Change control and monitoring, including testing.
- Malware and virus protection.
- Maintenance and update of software, hardware, and related systems.
- Regular backups of data.
- Data Importer utilizes Microsoft Azure and Amazon Web Services as sub processors to host the software solution and data exporter data. Importer reviews the annual Microsoft Azure and Amazon Web Services SOC 1 and SOC 2 reports to ensure controls in place around personal security, system resiliency, system monitoring, information security, application change control, and data communications are adequate and operating as designed.
- Data Importer has an Incident Response Policy and Program in place to address personal data breaches.
- Data Importer has an Information Security Policy and Program in place to manage and administer sound practices around the collection, administration, and security over personal data from the Data Exporter.
Where Special Categories of Data Are Identified, restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Fastpath implements the same heightened security standards set out above for all personal data, including special categories of data, that is Processes. However, no special categories of personal data are involved.
To the extent the SCCs or UK International Data Transfer Addendum apply to this DPA
Data exporter(s) (Customer):
Name:
Address:
Contact person’s name, position, and contact details, including email:
Official Registration Number (if any):
Activities relevant to the data transferred under these Clauses:
Role: Controller
Data importer(s) (Fastpath):
Name: Fastpath Solutions, LLC.
Address: 4093 NW Urbandale Drive / Urbandale, IA 50322
Contact person’s name, position and contact details: Jeff Soelberg, Chief Customer Officer, soelberg@gofastpath.com
Activities relevant to the data transferred under these Clauses: The data importer is a US-based supplier of security and audit software solutions. It is making available a software-as-a-service to the data exporter and will host the data exporter’s data on servers in the USA, hosted through a sub-processor. Data importer will provide reporting and review functionality for use by data exporter.
Role: Processor
Supervisory Authority for SCCs: United Kingdom
Importers List of Sub-Processors is available at
The Controller has authorized the use of the following sub-processors:
Microsoft Azure, One Microsoft Way, Redmond, WA USA 98052
Amazon Web Services, 1200 12th Ave S, Ste 1200, Seattle, WA USA 98144
Annex I
(SCCs)
- LIST OF PARTIES
Data exporter(s): See Schedule 1
Data importer(s): See Schedule 1
B. DESCRIPTION OF TRANSFER -
Categories of Data Subjects: See Schedule 1
Categories of Personal Data transferred: See Schedule 1
Sensitive data transferred (if applicable): See Schedule 1
and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: See Schedule 1 - Details of Processing of Personal Data
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): See Schedule 1
Nature of the processing: See Schedule 1
Purpose(s) of the data transfer and further processing: See Schedule 1
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: See Schedule 1
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: See Schedule 1
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: See Schedule 1
_______________________________________________________
Annex II
(SCCs)
Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data
Measures taken by the Data Exporter in respect of the transfer: See Schedule 1
Measures taken by the Data Importer: See Schedule 1
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter: See Schedule 1
_______________________________________________________
Annex III
(SCCs)
List of Sub-processors
The controller has authorised the use of the following sub-processors: See Schedule 1
_______________________________________________________
Annex IV
(UK International Data Transfer Addendum)
For information called for in Table 1, see Schedule 1 - Details of Processing of Personal Data.
For information called for in Table 2, to the extent applicable, see DPA § 12.4.
For information called for in Table 3, see Schedule 1 - Details of Processing of Personal Data.
Part 1: Tables
Table 1: Parties
|
Start date
|
|
|
The Parties
|
Exporter (who sends the Restricted Transfer)
|
Importer (who receives the Restricted Transfer)
|
|
Parties’ details
|
Full legal name:
Trading name (if different):
Main address (if a company registered address):
Official registration number (if any) (company number or similar identifier):
|
Full legal name:
Trading name (if different):
Main address (if a company registered address):
Official registration number (if any) (company number or similar identifier):
|
|
Key Contact
|
Full Name (optional):
Job Title:
Contact details including email:
|
Full Name (optional):
Job Title:
Contact details including email:
|
|
Signature (if required for the purposes of Section 2)
|
|
|
Table 2: Selected SCCs, Modules and Selected Clauses
|
Addendum EU SCCs
|
The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date:
Reference (if any):
Other identifier (if any):
Or
the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
|
|
Module
|
Module in operation
|
Clause 7 (Docking Clause)
|
Clause 11
(Option)
|
Clause 9a (Prior Authorisation or General Authorisation)
|
Clause 9a (Time period)
|
Is personal data received from the Importer combined with personal data collected by the Exporter?
|
|
1
|
|
|
|
|
|
|
|
2
|
|
|
|
|
|
|
|
3
|
|
|
|
|
|
|
|
4
|
|
|
|
|
|
|
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
|
Annex 1A: List of Parties:
|
|
Annex 1B: Description of Transfer:
|
|
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:
|
|
Annex III: List of Sub processors (Modules 2 and 3 only):
|
Table 4: Ending this Addendum when the Approved Addendum Changes
|
Ending this Addendum when the Approved Addendum changes
|
Which Parties may end this Addendum as set out in Section 19:
Importer X
Exporter X
neither Party
|
