Data Protection Addendum
1.Preamble¹
1.1 This Data Protection Addendum (“Addendum”) forms part of the Agreement entered into between the Company as listed in the relevant Professional Services Agreement, Statement of Work or Engagement Letter (hereinafter “Company”) and Riveron (hereinafter, and together with all subsidiaries and affiliates, “Riveron” or “Processor”), together referred to as the Parties (“Parties”) and applies where Processor will Process Personal Information when providing Services under the Agreement. All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement. To the extent that the terms of this Addendum conflict with the terms of this Agreement, the terms of this Addendum will control.
2. Definitions
2.1. “Agreement” means the written or electronic agreement between Company and Processor specific to the provision of the Services to Company.
2.2. “Controller” means the natural or legal person that determines the purposes and means of the Processing of Personal Information and/or “controller,” “business” or like term as defined by applicable Privacy Laws.
2.3. “Company Data” means the data that Processor processes for or on behalf of Company through Processor’s provision of the Services.
2.4. “Data Subject” means an identified or identifiable natural person to whom Personal Information relates and/or a “data subject,” “consumer,” or like term as defined by applicable Privacy Laws.
2.5. “Personal Information” means any information relating to an identified or an identifiable natural person or as otherwise defined under Privacy Laws, including “personal information” or analogous variations of such terminology within the meaning of applicable Privacy Laws, to the extent that these may be applicable. For the purposes of this Addendum, Personal Information is limited to such information that is contained in the Company Data.
2.6. “Privacy Laws“ means any laws, regulations, or orders regulating the Processing of Personal Information that are applicable to performance of the Services by Processor.
2.7. “Processor” means the natural or legal person that Processes Personal Information on behalf of the Controller and/or “processor,” “service provider” or a like term as defined by applicable Privacy Laws.
2.8. “Security Breach” means (i) any act or omission that materially compromises either the security, confidentiality or integrity of Personal Information, or (ii) a “security breach,” “data breach,” “personal data breach,” or similar terms as defined by applicable Privacy Law.
2.9. “Sensitive Personal Information” means any “sensitive personal information,” “sensitive data,” “sensitive personal data,” or “special categories of personal data” or similar terms under applicable Privacy Laws.
2.10. “Services” as used in this Addendum means the services or products that are specifically addressed in the Agreement, statement of works or order form entered into between Parties.
2.11. “Business Purpose”, “Commercial Purpose”, “Process” or “Processing”, “Share” or “Sharing,” “Sell” or “Selling”, and “Subprocessor” (or any of their analogous terms) shall all have the meanings set out in the relevant Privacy Law.
3. Designation of the Parties
3.1. The parties agree that, for the purposes of compliance with applicable Privacy Laws, all Personal Information that is received by Processor from Company in connection with the performance of Processor’s obligations under the Agreement and this Addendum, Company will be the Controller and Processor will be the Processor.
3.2. Each Party will comply, and will take reasonable steps to ensure that its personnel comply, with applicable Privacy Laws in connection with the Agreement and this Addendum.
4. PROCESSING of Personal Information
4.1. Personal Information will be Processed by Processor solely for purposes that are (a) strictly necessary for Processor to perform its obligations under the Agreement; (b) required by law so long as such Processing does not violate applicable Privacy Laws; and (c) other purposes permitted by Company in writing, including for any purposes permitted under the Agreement or applicable SOW, or otherwise explicitly stated in this Addendum.
4.2. Unless as expressly set forth in the Agreement, Company is and shall remain the owner of any Company Data.
4.3. Processor agrees that it shall: (a) not Sell or Share Personal Data; (b) not Process any Personal Information for any Business Purpose or Commercial Purpose other than the purposes identified in Annex 1, or outside the direct business relationship between the Parties; (c) comply with all applicable Privacy Laws and provide materially the same level of privacy protection to Personal Data that is required of Company under applicable Privacy Laws; (d) to the extent required under applicable Privacy Laws, grant Company the right to take reasonable and appropriate steps to ensure that Processor Processes Personal Information in a manner consistent with applicable Privacy Laws and this Addendum, and to take reasonable and appropriate steps to stop and unauthorized Processing of Personal Information; (e) notify Company if Processor determines it cannot meet its obligations under applicable Privacy Law; and (f) take reasonable steps to enable Company to comply with consumer rights requests made under applicable Privacy Law, to the extent that Company cannot comply with such requests without assistance.
4.4. Company agrees that it shall: (a) not provide any processing instructions that may infringe or violate any applicable law, including applicable Privacy Law, or any individual’s intellectual property or privacy rights; (b) ensure that it has the appropriate rights to make Personal Information available to Processor for the purposes described in Annex 1, (c) provide Data Subjects with all necessary notices and obtaining any consent required under applicable Privacy Law; (d) not make available any Personal Information to Processor other than the categories of Personal Information identified in Annex 1; (e) not make any Special Personal Information available to Processor without prior express written notice; (f) transfer or make credit card or cardholder data available to Processor; and (g) use the Services in compliance with all applicable laws, including Privacy Laws.
5. INFORMATION SECURITY MEASURES
5.1. Processor will implement and maintain, at its own cost and expense, and in accordance with Privacy Laws and other international standards, reasonable and appropriate technical, organizational, and physical security measures designed to protect the privacy and security of Company Data it Processes in connection with the Agreement and this Addendum. Such measures, at a minimum, will meet the requirements of Annex 2. Processor may modify these security measures at any time and without notice, provided that it will not decrease the overall level of security provided to Company Data.
5.2. In Processing Personal Information on behalf of Company, Processor shall take reasonable steps to ensure that Processor’s personnel who Process Personal Information in connection with the Agreement are subject to appropriate supervision and binding confidentiality obligations in respect of such Processing.
5.3. Neither Company nor its agents may circumvent or otherwise interfere with any user authentication or security of the Service. Company will immediately notify Processor of any breach, or attempted breach, of any security measures known to Company.
6. AGENTS AND SUBROCESSORS
6.1. Company authorizes Processor to engage third-party Subprocessors to perform Processing activities involving Personal Information on the Company’s behalf. Processor will require such Subprocessors to agree in writing to comply with substantially similar obligations as those contained in this Addendum. The Subprocessors used by Processor as of the date of this Addendum are listed in Annex 1. Upon reasonable request or as required under Privacy Laws, Processor shall provide to Company a list of Processor’s third-party Subprocessors that Process Company Data. Processor shall remain liable for its Subprocessors’ failure to Process Personal Information in accordance with applicable Privacy Laws.
7. SECURITY BREACHES
7.1. Processor shall without undue delay notify Company in writing following confirmation of a Security Breach affecting Personal Information. Such notice shall include information regarding the Security Breach then available to Processor in order to assist the Company to comply with its notification requirements under applicable Privacy Laws. Processor also agrees to provide reasonable assistance to Company in Company’s provision of notice of the Security Breach to impacted Data Subjects or other third parties, including regulators.
8. CROSS BORDER DATA TRANSFERS
8.1. For purposes of this Section, “Standard Contractual Clauses” means the Standard Contractual Clauses set out in Decision (EU) 2021/915 with the clauses corresponding to module two (controller to processor) selected and “UK Addendum” means the addendum to the Standard Contractual Clauses issues pursuant to Section 119A of the United Kingdom Data Protection Act. Company (as data exporter) and Processor (as data importer) shall comply with the Standard Contractual Clauses with respect to Personal Information exported from the European Economic Area to the United States of America or other third country that has not been deemed by the European Commission to ensure an adequate level of protection for such Personal Information. The Standard Contractual Clauses and UK Addendum are hereby incorporated into this Agreement by this reference, with the following information deemed selected and prepopulated:
8.1.1. Option 2 of Clause 9(a) of the Standard Contractual Clauses, “general written authorization,” is deemed to be selected, with Processor to inform Company in writing of any addition or replacement of sub-processors at least 14 days in advance.
8.1.2. Clause 7 shall be deemed incorporated into the Standard Contractual Clauses.
8.1.3. Option 1 of Clause 17 of the Standard Contractual Clauses is deemed to be selected, with the law of the Republic of Ireland deemed to be selected for purposes of such Clause.
8.1.4. Clause 18(b) of the Standard Contractual Clauses is deemed to be prepopulated with “the Republic of Ireland”.
8.1.5. Annex I of the Standard Contractual Clauses is deemed to be completed with the information provided in Annex I of this Addendum.
8.1.6. Annex II of the Standard Contractual Clauses is deemed to be completed with the information provided in Annex II of this Addendum.
8.1.7. All other optional clauses are deemed not to be included in the Standard Contractual Clauses.
8.2. With respect to Personal Information of data subjects in the United Kingdom exported from the United Kingdom to the United States or any other third country that has not been deemed by the United Kingdom to ensure an adequate level of protection for such Personal Information, (i) the Standard Contractual Clauses shall apply to such transfers as provided above, (ii) the UK Addendum shall be deemed executed between the parties, and (iii) the Standard Contractual Clauses shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Information from the United Kingdom to countries that have not been the subject of an adequacy decision.
8.3. In relation to Personal Information protected by the Swiss Federal Act on Data Protection (“FADP”), the Standard Contractual Clauses will apply amended and adapted as follows:
8.3.1. The Swiss Federal Data Protection and Information Commissioner is the exclusive supervisory authority;
8.3.2. The term “member state” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18; and
8.3.3. References to the GDPR in the EU SCCs shall also include the reference to the equivalent provisions of the Swiss FADP.
ANNEX 1: PERSONAL INFORMATION PROCESSING TERMS
| Categories of data subjects whose Personal Information is transferred | Employees, agents, and Companies of Company, unless otherwise described in the applicable SOW. |
| Categories of Personal Information transferred
|
Any data which may be provided or made available to Riveron pursuant to the Services, which may include contact information, commercial information (e.g., products purchased/of interest), internet of other electronic network activity information, audio/ electronic/ visual/ thermal or similar information, employment information, education information, and any other categories of Personal Information described in the applicable SOW. |
| Categories of Sensitive Personal Information transferred
|
None |
| Frequency of the transfer
|
Continuous |
| Purposes of the processing
|
To provide the Services, and as described in more detail in the applicable SOW |
| Duration of processing
|
Until the termination of the Services of the Agreement or as otherwise required or permitted by law. |
| List of Subprocessors | · Amazon Web Services |
ANNEX 2: MINIMUM INFORMATION SECURITY SAFEGUARDS
Non-disclosure agreements. Processor is responsible for entering into nondisclosure agreements that contain confidentiality requirements substantially similar to those in place between Processor and Company with all agents and Subprocessors prior to sharing any Company Data processed by Processor when providing Services under the Agreement.
Background Checks. To the extent permitted by applicable law, prior to providing its employees or agents access to Company Data, Processor shall ensure that all such employees or agents are subject to a criminal background check. Results should be evaluated to ensure there is no reasonable indication that such employee or agent presents a risk for misuse or threat to Company Data.
Disaster Recovery and Business Continuity. Disaster recovery and business continuity processes shall be established by Processor to ensure the ongoing availability of business processes involving access to or use of Company Data. Recovery time objectives and recovery point objectives must be appropriate to minimize impact to services provided under the Agreement. Processor must test such disaster recovery and business continuity plans at least annually and, upon request, provide reports to Company detailing the results of such tests.
Data Destruction. All Company Data must be securely wiped from systems/servers when the system is retired or when Company Data is required to be deleted pursuant to the Addendum. The wipe method must conform to the U.S. Department of Defense standards for data destruction. Removable media must be encrypted if it is used to transfer Company Data. Removable media must be securely destroyed or returned to Company upon termination or expiration of the Agreement.
Workstation/ Laptop Encryption. All Processor workstations, laptops, personal devices, and portable devices (as applicable) that process or store Company Data must be encrypted. As used herein, the term “encryption” or “encrypted” refers to data that has been secured consistent with Federal Information Processing Standards (“FIPS”), National Institute of Standards and Technology (“NIST”), and/or International Standards Organization (“ISO”), publications regarding cryptographic standards.
Encryption at Rest and In Transit. All Company Data must be encrypted both at rest and in transmission by Processor using an industry standard product and algorithm (NIST, ISO). If cardholder data regulated under the PCI-DSS is processed by Processor, then the encryption levels shall be maintained at the same level required for PCI-DSS certification as published by the Payment Card Industry Council.
Acceptable Security Controls. Processor must implement acceptable security controls, including physical, administrative, and technical safeguards designed to safeguard Company Data from unauthorized access, alteration, disclosure, or misuse. This must include, at a minimum, implementation of a written information security program that complies with all applicable laws and industry standards. Processor shall provide a copy of its written information security program to Company for review, upon request. Acceptable security controls shall include, at a minimum, the following:
Access Control. Processor shall implement role-based access controls for all user permissions, enforcing the principle of least privilege.
User audit. Processor shall undertake regular user access audits to ensure that terminated users no longer have access to the system and that users who change job roles do not retain permissions which are no longer needed.
Multi-Factor Authentication. Multi-factor authentication must be used to access Processor systems or systems used by Processor, to the extent that such are used to process Company Data.
User IDs and Password Controls. Processor must issue a unique username to all authorized users of Company Data. Processor shall require strong passwords following industry standards or best practices to access Company Data.
Documented security policies. Processor shall have documented written security policies based on a recognizable industry standard (e.g., ISO or NIST).
Documented data flow diagrams and asset inventory should be maintained and updated regularly.
Antivirus. Processor’s endpoints and servers must have a commercial anti-virus software with a minimum daily automatic update of signatures or approved Next Generation antivirus.
Patch Management. All Processor endpoints and servers must have security patches applied regularly. Processor must maintain an appropriate patch management program to remediate issues.
Intrusion Detection. All Processor systems that are accessible via the Internet or store or transmit any Company Data shall be protected by a suitable endpoint detection and response software, other intrusion detection tools and/or prevention system.
Vulnerability Management. All Processor servers, applications, and networks must be regularly scanned for vulnerabilities, including missing patches, outdated versions of software, and certificate issues. Scans may be run by appropriate internal staff. Processor must maintain an appropriate vulnerability management program to timely remediate issues.
Penetration Testing. Internet-facing systems, networks, and applications must undergo third-party penetration testing at least annually to identify vulnerabilities, and remediation of all critical or high-risk vulnerabilities must be completed in a timely manner. Processor must notify Company in the event that a penetration test uncovers a critical or high-risk vulnerability that is not capable of being remediated in a timely manner.
Security Breach Response. Processor must maintain a comprehensive written incident response plan for handling security breaches, incident escalation, breach notification, and corrective action plans. This plan must be regularly tested.
Secure Configuration. Processor must implement system hardening and secure configuration standards (e.g., CIS Benchmarks).
Information Security Training and Awareness Program. All Processor employees or agents with access to Company Data must be trained on Processor’s security program, including all written policies and procedures, prior to receiving access to Company Data or Company Systems. Security and privacy training must be done at least on an annual basis and results documented.
Log Review. All systems and applications processing and/or storing Company Data shall have a procedure in place to routinely review system and application logs for unauthorized access or other suspicious activity.
¹This Data Protection Addendum applies for Services provided by Riveron Consulting LLC., Riveron RTS, LLC., Riveron Intelligent Manufacturing Solutions, LLC., Riveron Management Services, LLC., and Yantra Tech Innovation Lab Pvt. Ltd..