DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) by and between [CONTROLLER COMPANY NAME] a [STATE OF INCORPORATION], with offices at [ADDRESS], and, to the extent required under Applicable Data Protection Laws, Controller’s Authorized Affiliates (collectively “Controller”) and Accio, Inc., d/b/a Jump (“Processor”) (each a “Party”, and together the “Parties”).
RECITALS
WHEREAS, the Parties have entered into a certain terms of service, letter of intent, purchase agreement, Master Services Agreement, or other agreement between the parties (“Agreement”).
WHEREAS, in the course of providing the Services to Controller pursuant to the Agreement, Processor may Process Personal Data on behalf of Controller;
WHEREAS, to ensure adequate safeguards with respect to the Processing of Personal Data provided by Controller to the Processor the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW, THEREFORE, in consideration of the foregoing premises and of the mutual promises and covenants set forth below, Controller and Processor hereby agree as follows:
AGREEMENT
This DPA is incorporated, in its entirety, into the terms of the Master Services Agreement signed by the parties. Its effective date is the same as that Master Services Agreement. The Master Services Agreement signed between the parties is also known as an “Agreement” throughout this document.
DEFINITIONS
All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. The term “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Applicable Data Protection Laws” means all applicable laws, regulations, regulatory guidance, or requirements in any jurisdiction relating to data protection, privacy, or confidentiality of Personal Data including but not limited to (a) the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) together with any transposing, implementing or supplemental legislation, and (b) the California Consumer Privacy Act (“CCPA”).
Authorized Affiliate” means any of Controller’s Affiliates which (a) are subject to the data protection laws and regulations of the European Economic Area and/or its member states, the United Kingdom, and Switzerland, (b) are subject to data protection laws and regulations outside of the European Economic Area and/or its Member States, Switzerland, and the United Kingdom (as applicable), and (c) permitted to use Processor for Processing pursuant to the Agreement;
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the avoidance of doubt, the Party identified as Controller above is a Controller under this DPA.
“Data Breach” means a breach of security leading to the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, access to, or other Processing of Personal Data transmitted, stored, or otherwise Processed.
“Data Protection Authority” means any representative or agent of a government entity or agency who has the authority to enforce Applicable Data Protection Laws.
“Data Subject” means a natural person to whom Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person or particular household. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Process” shall mean any operation or set of operations which is performed upon Personal Data or in connection with and for the purposes of the provision of the Services, whether or not accomplished by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; and as defined by Applicable Data Protection Laws.
“Processor” means the entity which Processes Personal Data on behalf of the Controller. For the avoidance of doubt, the Party identified as “Processor” above is a Processor for this DPA.
“Services” means Processing of Personal Data by the Processor in connection with and for the purposes of the provision of the services to be provided by the Processor pursuant to the Parties Agreement.
“Service Provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that process information on behalf of a Data Controller and to which the Data Controller discloses a Data Subject’s Personal Data for a Business Purpose pursuant to a written contract, provided that the contract prohibits the Service Provider from retaining, using, or disclosing the Personal Data for any purpose other than for the specific purpose of performing the services specified in the contract, or as otherwise permitted by the CCPA, including retaining, using, or disclosing the Personal Data for a Commercial Purpose other than providing the services specified in the contract with the Data Controller. The terms “Business Purpose” and “Commercial Purpose” have the same meaning as those terms are used in the CCPA. For the avoidance of doubt, Processor is a Service Provider.
“Sub-processor” means any entity which Processes Personal Data on behalf of the Processor.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The party identified above as Controller is a Controller under this DPA. The party identified above as Processor is a Processor under this DPA. The subject matter, duration, purpose of the Processing, and the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1.
2.2 Controller’s Obligations. Controller’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquires Personal Data and provides it to Processor.
2.3 Processor’s Obligations. All Personal Data Processed by Processor pursuant to the Agreement is Confidential Information and Processor will Process Personal Data only in accordance with Controller’s documented instructions set forth in Schedule 1 or as otherwise provided by Controller in writing. Processor will not sell the Personal Data Processed under this DPA and will not retain, use, or disclose Personal Data outside of the direct business relationship between Processor and Controller. Processor shall adhere to all Applicable Data Protection Laws with regard to Processing Personal Data. Processor will not combine Personal Data provided by Controller with Personal Data that it receives from other sources. Where the Processor believes that compliance with any instructions by Controller would result in a violation of any Applicable Data Protection Law, the Processor shall notify Controller thereof in writing without delay. Processor shall make available to the Controller all information necessary to demonstrate Processor’s compliance with its obligations under this DPA.
2.3.1. Assistance Requirements. Processor shall assist Controller with the following: compliance with Applicable Data Protection Laws when required by Applicable Data Protection Laws; suspected and relevant Data Breaches; notifications to, or inquiries from a Data Protection Authority; notifications to, and inquiries from, Data Subjects; and Controller’s obligation to carry out data protection impact assessments and prior consultations with a Data Protection Authority.
3. NOTIFICATION OBLIGATIONS
3.1 Processor’s Notification Obligations. Processor shall immediately notify Controller, in writing, of the following:
A Data Subject’s request to exercise their privacy rights such as accessing, rectifying, erasing, transporting, objecting to, or restricting their Personal Data;
- 3.1.1 A Data Subject’s request to exercise their privacy rights such as accessing, rectifying, erasing, transporting, objecting to, or restricting their Personal Data;
- 3.1.2 Any request or complaint received from Controller’s customers or employees;
- 3.1.3 Any question, complaint, investigation, or other inquiry from a Data Protection Authority;
- 3.1.4 Any request for disclosure of Personal Data that is related in any way to Processor’s Processing of Personal Data under this DPA;
- 3.1.5 A Data Breach pursuant to the notification obligations set forth in Section 7.1; and
- 3.1.6 Where the Personal Data becomes subject to search a seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while being Processed.
Processor will assist Controller in fulfilling Controller’s obligations to respond to requests relating to sections (3.1.1)-(3.1.6) above and will not respond to such requests without Controller’s prior written consent unless Processor is required to respond by applicable law.
4. CONFIDENTIALITY
4.1 Processor’s Personnel. Processor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. Processor shall ensure that such confidentiality obligations survive the termination of their respective employment relationship with such individuals.
4.2 Limitation of Access. Processor shall ensure that Processor’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
5. SUB-PROCESSORS
5.1 Appointment of Sub-processors. Controller acknowledges and agrees that Processor and Processor’s Affiliates may engage third-party Sub-processors in connection with the provision of the Services. Processor or Processor’s Affiliate shall enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such Sub-processor.
5.2 Notification of Changes to Sub-processors. Processor will inform Controller of any intended changes concerning the addition or replacement of Sub-processors and give Controller an opportunity to object to such changes. Processor will notify Controller of any intended changes concerning the addition or replacement of Sub-processors in writing at least 30 days prior to its use of the Sub-processor.
5.3 Objection Right for New Sub-processors. Controller may object to Processor’s use of a new Sub-processor by notifying Processor promptly in writing within fifteen (15) business days after receipt of Processor’s notice. In the event Controller objects to a new Sub-processor, Processor will use reasonable efforts to make available to Controller a change in the Services to avoid Processing of Personal Data by the objected-to new Sub- processor. If Processor is unable to make available such change, Controller may terminate the applicable Agreement with respect to those Services which cannot be provided by Processor without the use of the objected-to new Sub-processor.
5.4 Liability for Acts of Sub-Processors. Processor shall be liable for the acts and omissions of its Sub-processors to the same extent Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA.
6. SECURITY
6.1 Protection of Personal Data. Processor shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data.
6.2 Audit Rights. Controller, or Controller’s designee, has the right to audit and inspect—at Controller’s expense—Processor’s policies, procedures, and related documentation to make sure Processor complies with the requirements in this DPA. Controller may only exercise this audit right once per 365-day period unless Controller exercises this right pursuant to a Data Breach, or a regulator or law enforcement entity requires such an audit. Controller, or Controller’s designee, will provide at least 14-days’ notification before conducting an audit unless such audit is required due to a Data Breach involving Processor. Audits by Controller or Controller’s designee will not violate Processor’s confidentiality obligations with Processor’s other clients.
7. DATA BREACHES
7.1 Data Breach Notification. Processor shall notify Controller in writing without undue delay after becoming aware of a suspected Data Breach. In no event shall such notification be made more than 72 hours after Processor’s discovery of the Data Breach.
7.2 Data Breach Management. Processor shall make reasonable efforts to identify the cause of such Data Breach and take those steps as Processor deems necessary and reasonable to remediate the cause of such a Data Breach to the extent the remediation is within Processors reasonable control.
8. TERMINATION
8.1 Termination. This DPA shall terminate automatically upon the later of (a) the termination or expiry of the Agreement or (b) Processor’s deletion or return of Personal Data. Controller shall further be entitled to terminate this DPA for cause if the Processor is, in the sole opinion of Controller, in a material or persistent breach of this DPA which, in the case of a breach capable of remedy, shall not have been remedied within ten (10) days from the date of receipt by the Processor of a notice from Controller identifying the breach and requesting its remedy.
8.2 Return or Deletion of Data. Upon termination of this DPA, Processor will delete or return all existing copies of Personal Data unless applicable law requires continued retention of the Personal Data. Upon the request of Controller, the Processor shall confirm compliance with such obligations in writing and delete all existing copies. In instances where applicable law requires the Processor to retain Personal Data, Processor will protect the confidentiality, integrity, and accessibility of the Personal Data; will not actively Process the Personal Data; and will continue to comply with the terms of this DPA.
9. MECHANISMS FOR INTERNATIONAL TRANSFERS
9.1 Transfers Outside of the EU. During the provision of Services under the DPA, it may be necessary for Controller to transfer Personal Data from the European Union, the European Economic Area and/or their member states, the United Kingdom, or Switzerland to Processor in a country that does not have an adequacy decision from the European Commission or is not located in the European Economic Area. In the event of such a transfer, the Standard Contractual Clauses apply as follows:
9.1.1. In relation to Personal Data that is subject to the GDPR (i) Processor will be deemed the "data importer" and Controller is the "data exporter"; (ii) the Module Two terms shall apply where Controller is a Data Controller and where Processor is a Data Processor; (iii) in Clause 7, the optional docking clause shall be deleted; (iv) in Clause 9 of Module Two, Option 2 shall apply and the list of Subprocessors and time period for notice of changes shall be as agreed under Section 5 of this DPA; (v) in Clause 11, the optional language shall be deleted; (vi) in Clause 17, Option 1 shall apply and the Standard Contractual Clauses shall be governed by the member state where Controller is domiciled; (vii) in Clause 18(b), disputes shall be resolved before the courts of the member state where Controller is domiciled; (viii) Annex I and Annex II shall be deemed completed with the information set out in Schedule 1 of this DPA respectively; and (ix) if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict. For this section, the Standard Contractual Clauses from the Commission Implementing Decision (EU) 2021/914 are incorporated by reference and available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.
9.1.2. In relation to Personal Data that is subject to UK Data Protection Laws, the International Data Transfer Agreement (“IDTA”) shall apply with the following modifications: (i) the contact information about the parties to the Agreement is the contact information for the IDTA; (ii) Controller is the data exporter and Processor is the data importer; (iii) the laws that govern the IDTA and the location where legal claims can be made is England and Wales; (iv) the UK GDPR does not apply to the data importer’s processing of transferred data; (v) the Parties do not use the additional security or commercial clauses from the IDTA; and (vi) the information in this DPA and Schedule 1 can be used for Tables 1-4. The Part 4 Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4 of those Mandatory Clauses, are incorporated by reference and available here:https://ico.org.uk/media2/migrated/4019538/international-data-transfer-agreement.pdf.
9.1.3. In relation to Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses referenced in Section 9.1.1 shall apply with the following modifications (i) references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" shall be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" shall be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".
9.2. Alternative Data Transfer Mechanisms. The Parties acknowledge that the laws, rules and regulations relating to international data transfers are rapidly evolving. In the event that Controller adopts another mechanism authorized by applicable laws, rules or regulations to transfer Personal Data (each an “Alternative Data Transfer Mechanism”), the Parties agree to work together in good faith to implement any amendments to this Agreement necessary to implement the Alternative Data Transfer Mechanism.
If a law or regulation replaces or supersedes any of the standard contractual clauses referenced in this Section, the Parties may adopt the text of the new standard contractual clauses without having to amend this DPA.
10. MISCELLANEOUS PROVISIONS
10.1. Amendments. This DPA may not be amended or supplemented, nor shall any of its provisions be deemed to be waived or otherwise modified, except through a writing duly executed by authorized representatives of both Parties.
10.2 Governing Law. This DPA shall be governed by the governing law set forth in the Agreement.
List of Schedules:
Schedule 1: Description of the Processing
SCHEDULE 1
Description of the Processing
Contact Information
Processor
Party Name: ACCIO, INC d/b/a JUMP
Address: 50 West Broadway, Suite 333 Salt Lake City, Utah 84101
privacy@jumpapp.com
Controller
Party Name:
Address:
Subject-Matter
The subject matter of the processing is detailed in the description of services in the Agreement and supporting documentation to that Agreement.
Duration
As set forth in the Agreement between the Parties.
Extent, Type and Purpose of the Processing
As set forth in the Agreement between the Parties.
Frequency of Transfer
☒Continuous
☐One-off
Data Subjects
The service will gather information from the customer’s employees and customer’s clients.
Subprocessor Transfers
Processor’s list of subprocessors is available at: https://security.jump.ai/. Controller approves the use of each Subprocessor listed in that table.
Categories of Data
The Personal Data Processed may concern the following categories of data:
☒Identifying Information
☒Social and Contact Information
☒Financial Data
Technical Measures to Secure Data
Company has implemented the technical and organizational measures that can be reviewed at the following link to ensure the security of Personal Data: https://security.jump.ai/.
A summation of Jump’s security is detailed below:
1. Organizational Controls
1.1 Information Security Program. Jump maintains and will use commercially reasonable efforts to continually make improvements to a documented information security program, designed in accordance with industry standards and best practices. Jump shall maintain compliance with relevant frameworks and standards, including the AICPA Trust Services Criteria.
1.1.1. Internal Controls. Jump implements operational and technical controls that meet or exceed applicable and current industry standards to protect Customer Property from unauthorized access, modification, use, and deletion. Jump performs an internal audit of the operating effectiveness of its security controls at least annually.
1.1.2. Policies. Jump’s Head of Security reviews and approves the Company’s information security policies at least annually.
2. Technical Controls
2.1. Encryption of Customer Data. Jump encrypts Customer Property at rest and in-transit over untrusted networks using current industry standards.
2.1.1. Key Management. Jump’s encryption key management program includes regular rotation of encryption keys. Jump logically separates encryption keys from Customer Data.
2.2. Access Control. Access to Company Property is granted as needed based on job role and responsibilities, and valid business need. All production and administrative access requires a unique user ID and password, as well as multi-factor authentication.
2.2.1. User Access Reviews. Jump reviews production systems access quarterly, revoking inactive and no longer needed accounts.
2.3. Device Management. Jump personnel use Jump-provisioned laptops that are centrally managed. Employee laptops are configured with controls that include, but are not limited to, disk encryption, password protection, inactivity lockout, anti-malware, automatic OS updates, removable media restriction, and host-based firewalls.
2.4. Environment Segregation. Jump logically separates the production environment from development and testing environments.
2.5. Network Security. Jump implements a multi-layered network infrastructure that restricts unauthorized traffic, provides continuous monitoring, and detects and limits the impact of attacks. Jump uses firewalls, in addition to intrusion detection and prevention systems.
2.5.1. Hardening. Jump configures and deploys information systems, network devices, and applications using a secure configuration baseline. Hardening includes, but is not limited to, changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching.
2.5.2. WAF. Jump uses a web application firewall designed to protect against common web application vulnerabilities, such as cross site scripting, denial of service (DoS), and injection attacks.
2.7. Logging and Monitoring. Monitoring services are utilized to log activities and changes within the production environment. Logs are continually monitored and analyzed for anomalies. Logs are securely stored for at least one year.
2.8. Vulnerability Management. Jump performs vulnerability scans of the systems used to provide the Services daily. Identified vulnerabilities are patched in accordance with Jump’s vulnerability management policy.
2.8.1. Penetration Testing. Jump conducts annual independent penetration testing. Jump will make available an executive summary report of the most recent penetration test report in Jump’s Trust Center.
2.9. SDLC. Jump implements technical and operational controls to ensure secure code development. Such measures include, but are not limited to, mandatory peer review and approval, static and dynamic application security testing (SAST and DAST), and dependency management.
3. Operational Controls
3.1. Personnel Security. Jump performs background screening on all new hires as part of the hiring process, to the extent permitted by applicable law. Jump personnel are required to sign confidentiality agreements and Jump’s information security policies upon hire.
3.2. Security Training. Jump personnel are required to complete security awareness training upon hire and annually thereafter. Training curriculum can include, but is not limited to, phishing awareness, incident reporting procedures, device security, and remote work best practices.
3.3. Third-Party Risk Management. Jump maintains a third-party risk management program designed to ensure that Subprocessors maintain security measures no less rigorous than Jump’s obligations set forth in this Exhibit. Jump performs annual assessments of Subprocessors, reviewing independent audit reports, penetration test reports, and other relevant security documentation.
3.4. Physical Security. To ensure Jump’s cloud hosting provider (“Cloud Provider”) has appropriate physical and environmental controls for its data centers hosting Jump’s cloud environment, Jump validates the operating effectiveness of such controls by reviewing the Cloud Provider’s independent audit reports and certifications annually.