DATA PROCESSING ADDENDUM
This Data Processing Agreement, including its schedules (“DPA”) is incorporated into the Agreement between Interai and Customer in relation to any processing activities performed by Interai with respect of Customer’s Personal Data as part of the License to Software and related Services, all set forth in the Agreement and any Order Form entered into by the parties. Any capitalized term not defined herein shall have such meaning ascribe to it under the General Terms.
INTERAI DOES NOT COLLECT ANY PERSONAL DATA OTHER THAN PERSONAL DATA RELATING TO CUSTOMER’S AGENTS. ALL OTHER PERSONAL DATA PROCESSED THROUGH THE SOFTWARE SHALL BE STRICTLY PROCESSED WITHIN CUSTOMER’S ENVIRONMENT WITHOUT ACCESS OR RETENTION BY INTERAI.
- “Agreement” means the Interai General Terms and Order Form executed between Interai and Customer, including any ancillary documents, exhibits, quotes, or statements of work entered into by Customer and Interai in connection therewith.
- “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
- “Customer Data” means any Personal Data Processed by Processor on behalf of Customer pursuant to or in connection with the Agreement and Personal Information as defined under the CCPA and Information as defined under the Privacy Law.
- “Data Protection Laws” means (i) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR“), laws implementing or supplementing the GDPR; (ii) Israel’s Protection of Privacy Law, 1981 and regulations and orders promulgated thereunder, including without limitation Protection of Privacy Regulations (Information Security) 2017, and Directive 2-2011 for Use of Outsourcing for the processing of Personal Data (collectively, “Privacy Law“); (iii) the California Consumer Privacy Act of 2018, Cal. Civil Code Title 1.81.5 and the regulations thereunder, as may be amended from time to time (“CCPA“); and/or (iv) any privacy and data protection laws applicable to the Customer.
- “Services” means the grant of License to the Software pursuant to the Agreement and any services relating thereto.
- “Standard Contractual Clauses” means the standard contractual clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or updated from time to time by the European Commission (EC).
- “Sub-Processor” means any Processor engaged by Processor, including Interai affiliates which shall be deemed approved Sub-Processors pursuant to Section 8.
- The terms “Controller“, “Data Subject“, “Data Protection Officer“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processor“, “processing“, and “Supervisory Authority” shall have the meanings ascribed to them in the GDPR.
- The terms “Business“, “Consumer“, “processing“, “Request to Know“, “Request to Delete“, “Request to Opt-Out“, “Sell“, “Service Provider“, shall have the meanings ascribed to them in the CCPA.
2. Application of data protection laws
- Roles of the Parties. The Parties acknowledge and agree that with regard to the processing of Customer Data, (i) as applicable under the GDPR, Customer is the Data Controller, and Interai is the Processor appointed by the Customer on behalf, and accordingly (ii) as applicable under the CCPA when Customer collects Personal Information that is subject to the CCPA, Customer may constitute a Business with respect to such Personal Information and Interai will therefore be considered a Service Provider on its behalf. Each Party is responsible for complying with the Data Protections Laws as they apply to it.
- Additional Measures. If any Data Protection Laws impose on Processor additional or overriding obligations to those in this Data Processing Addendum with respect to its processing of Customer Data or require Customer and Processor to enter into any additional agreements or to implement any additional security or organizational security measures to process Customer Data under the Agreement, Customer and Processor agree to negotiate such additional obligations, agreements, or security measures in good faith. If the Parties are unable to agree on a resolution and costs in respect of additional measure required in consideration of such additional obligations, then either party may immediately terminate the Agreement and Processor shall have no further liability to Customer in respect of such termination.
- CCPA Related Provisions. In the event the CCPA applied to the processing of Customer Data under this Data Processing Addendum, the Additional CCPA Terms attached hereto as Exhibit A shall apply to such processing in addition to this DPA.
3. Processing of customer data
3.1 Customer Responsibilities
- Customer shall, in its use of the Services, process Customer Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to data controllers thereunder. Customer shall comply with all necessary transparency and lawful requirements under Data Protection Laws in order to disclose any Customer Data to Processor, including without limitation as applicable obtaining all consents necessary to enable the processing activities contemplated under this DPA. Customer’s instructions for the Processing of Customer Data shall comply with Data Protection Laws and shall be in strict consistence with the scope of the Agreement.
- Customer shall defend, hold harmless and indemnify Processor, its affiliates, and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation, or infringement by Customer and/or its authorized users of any Data Protection Laws and/or this DPA and/or this Section.
- Processor will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Customer to the extent that such is a result of Customer’s instructions.
3.2 Processor Responsibilities
- Processing. Processor shall process Personal Data on Customer’s behalf and in accordance with Customer’s documented instructions as necessary for the performance of the Services and for the performance of the Agreement and this DPA. Processor will comply will all applicable Data Protection Laws. Where Processor believes that an instruction of Customer would result in a violation of any applicable Data Protection Laws, Processor shall notify the Customer thereof without undue delay.
- Details of Processing. The details of processing activities to be carried out by Processor in respect of the engagement under the Agreement, including with respect of the duration of the Processing, the nature, and purposes of the Processing, as well as the types of Personal Data processed and categories of Data Subjects under this DPA are further specified in Exhibit B (Details of the Processing).
- Assistance. Processor will use reasonable commercial efforts to assist Customer in ensuring compliance with Customer’s obligations related to the security of the Customer Data processed by Processor, notification, and communication of data breaches, conduct of data protection impact assessments and any inquiry, investigation, or other request by a Supervisory Authority.
4. Security, audits, and inspections
- Controls for Protection of Personal Data. Taking into account the state of the art, the type of Customer Data and the risk of a data security breach, Processor shall implement and maintain those technical and organizational measures set forth in Exhibit C as required to ensure an appropriate level of security pursuant to Article 32 of the GDPR in order to avoid accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to Customer Data and/or as otherwise required pursuant to applicable Data Protection Laws. The Parties agree that the technical and organizational security measures that are listed in Exhibit C ensure a level of security that is appropriate for dealing with and protecting against any risks to the rights and freedoms of the data subjects’ Personal Data as contemplated in this DPA.
- Records of Processing. Each of Processor and Customer will maintain up-to-date written records of its processing activities as required under Article 30 of the GDPR, including, inter alia, Processor’s and Customer ‘s contact details, details of data protection officers (where applicable), the categories of processing, transfers of Customer Data, and the technical and organizational security measures implemented by Processor. Upon request, each party will provide an up-to-date copy of these records to the other party.
- Third Party Certification and Compliance Assessment. Processor shall make available to Customer information reasonably necessary to demonstrate its compliance with this DPA and Data Protection Laws and shall cooperate with reasonable privacy impact assessment requests by Customer (or another auditor mandated by Customer). The parties agree that Processor may satisfy its obligations under this Section, and any similar obligations under the Standard Contractual Clauses, by presenting summary copies of its ISO 27001 certification or other security documentation at Processor’s discretion to Customer, which reports, certifications and documentation shall be subject to the confidentiality provisions of the Agreement.
- Audit. Upon the prior request of Customer, and no more than once per year, upon prior notice of at least thirty (30) days, Processor shall make available to an independent third-party auditor appointed by Customer, all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits including inspection conducted by it. Any such inspection or audit shall be conducted during Processor’s regular business hours. Any personnel of the third-party auditor shall be bound by written agreement containing confidentiality obligations no less strict than under this Agreement and the findings of any such audit shall be deemed Processor’s Confidential Information. Customer shall provide Processor with a copy of such information and audit reports.
- DPO. If required under Applicable Law, Processor will appoint a Data Protection Officer.
5. Personal data breach
Processor shall notify Customer within forty-eight (48) hours after becoming aware of a Personal Data Breach affecting Customer Data. In such event, Processor shall:
- provide Customer with all available information relating to (i) the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned; (ii) the likely consequences of the Personal Data Breach; (iii) the name and contact details of Processor’s Data Protection Officer or another contact point where more information can be obtained; and (iv) a description of the measures taken or proposed to be taken by Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.
- reasonably cooperate with Customer in connection with the investigation, mitigation, and will use commercially reasonable efforts in the remediation of any Personal Data Breach the implementation of any necessary corrective action as determined by Processor.
- The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Agents or are otherwise unrelated to the provision of the Software. In any event, Customer will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws).
6. Rights of data subjects
- Processor shall assist Customer in complying with any of Customer’s statutory obligations concerning requests to exercise Data Subject rights under applicable Data Protection Law (e.g., for access, rectification, deletion of Customer Data, etc.). Taking into account the nature of the Processing, Processor shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Processor’s provision of such assistance.
- Personnel. Processor shall ensure that only authorized personnel have access to Customer Data and that any persons whom it authorizes to have access to Customer Data on its behalf are subject to a binding contractual or statutory obligation to protect the Customer Data and keep it confidential no less than Processor is required to do under the Agreement and this DPA. Processor shall ensure that its authorized personnel are appropriately trained regarding their data protection and confidentiality obligations.
- Permitted Disclosure. Processor may disclose and Process the Customer Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws (in such a case, Processor shall inform the Customer of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.
- Authorized Sup-Processors. Processor has appointed its Affiliates and the Sub-processors included in Exhibit D as Sub-Processors to perform processing activities in respect of Customer Data on behalf of Processor, and any such Sub-Processors are hereby approved by Customer. Processing by Sub-Processors is done under a written contract containing: (i) materially equivalent obligations to those in this DPA; or (ii) provisions which meet the requirements under applicable Data Protection Laws including without limitation under Article 28(3), 28(7) and 28(8) of the GDPR and Section 1798.140 (v) and (w) of the CCPA. Processor shall remain fully responsible for its Affiliates and the Sub-Processors’ performance of their obligations.
- Objection Right for Sub-Processors. Processor may not add or change a Sub-Processor without first notifying Customer in writing (including by providing public notice of an update on its website) and giving Customer ten (10) days (from date of receipt of the notice) to object to the change in Sub-Processor on reasonable and objectively justifiable grounds that are related to the data protection measures implemented by such Sub-Processor. Customer may subscribe to e-mail notifications of any new Sub-Processor by sending an email to email@example.com with the subject “SUBSCRIPTION TO SUB-PROCESSORS NOTIFICATION.” Failure to object during the notice period to such Sub-processor shall be deemed as acceptance of the Sub-Processor. Failure to object to such Sub-processor in writing following Processor’s notice in the aforementioned objection period shall be deemed as acceptance of the Sub-Processor. If Customer objects to the change in Sub-Processor, then the parties will work together in good faith to resolve the objection, which may include avoiding the functionality provided by the new Sub-Processor or recommending a commercially reasonable workaround to avoid processing of the Customer Data by the new Sub-Processor. If such agreement is not reached then Customer, as its sole and exclusive remedy, may terminate the applicable Agreement and this DPA, solely with respect to those Services which cannot be provided by Processor without the use of the objected-to Sub-processor.
9. Transfers of data
- Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein, and Iceland) (collectively, “EEA”) and the United Kingdom to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States, or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.
- Transfers to Other Countries. If the Processing of Personal Data includes transfers from the EEA to countries outside the EEA which are not subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with their applicable obligations under Chapter V of the GDPR, including, if necessary, executing the Standard Contractual Clauses or comply with any of the other mechanisms provided for in the GDPR for transferring Personal Data to such Other Countries.
- Standard Contractual Clauses. The Parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfers from the EEA to Other Countries, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the GDPR) outside the EEA.
- Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data controller of the Personal Data and Interai is the data processor of the Personal Data.
- Module Three (Processor to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Interai as the data processor of the Personal Data and a third party appointed by Interai is a Sub-processor of the Personal Data.
- Clause 7 of the Standard Contractual Clauses (Docking Clause) shall apply.
- Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 8 of the DPA.
- In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
- In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland.
- In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of Ireland.
- Annex I.A of the Standard Contractual Clauses shall be completed as follows:
- Data Exporter: Customer.
- Contact details: As detailed in the Agreement.
- Data Exporter Role:
- Module Two: The Data Exporter is a data controller.
- Module Three: The Data Exporter is a data processor.
- Data Importer: Interai.
- Contact details: As detailed in the Agreement.
- Data Importer Role:
- Module Two: The Data Importer is a data processor.
- Module Three: The Data Importer is a sub-processor.
- Annex I.B of the Standard Contractual Clauses shall be completed as follows:
- The categories of Data Subjects are described in Exhibit B (Details of Processing) of this DPA.
- The categories of Personal Data are described in Exhibit B (Details of Processing) of this DPA.
- The frequency of the transfer is a continuous basis for the duration of the Agreement.
- The nature of the processing is described in Exhibit B (Details of Processing) of this DPA.
- The purpose of the processing is described in Exhibit B (Details of Processing) of this DPA.
- The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
- In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth in Exhibit B (Details of Processing) of this DPA.
- Annex I.C of the Standard Contractual Clauses shall be completed as follows:
- The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated above.
- The security documentation referred to in the DPA serves as Annex II of the Standard Contractual Clauses.
10. Return or deletion of personal data
- Return. Processor will retain Customer Data only for as long as necessary to satisfy the purposes for which it was provided to Processor by Customer. Processor shall, at Customer’s request and option, delete or return the Customer Data to Customer all copies of any Customer Data once such data is no longer necessary to be retained in accordance with the Agreement. Processor shall ensure that all Sub Processors shall similarly delete or return all copies of Customer Data.
- Retention. Notwithstanding, Processor may retain Customer Data to the extent required according to applicable laws of the European Union of any Member State, or for evidence and legal compliance purposes, provided that such Customer Data shall continue to be retained in accordance with the terms of this DPA. If Customer requests the Customer Data to be returned, the Customer Data shall be returned in the format generally available for Processor’s customers.
- This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
12. Order of precedence
- In the event of any conflict between the provisions of this dpa and the provisions of the agreement, the provisions of this dpa shall prevail over the conflicting provisions of the agreement solely as relating to matters concerning personal data. Except as expressly modified herein, all terms and conditions of the agreement shall remain in full force and effect. With respect to processor’s processing of customer data as part of a transfer pursuant to section 9.3, in the event of a conflict between the terms of the standard contractual clauses and this dpa, the standard contractual clauses shall prevail.
- Processor reserves the right, at its discretion, to change this DPA at any time. Such change will be effective ten (10) days following sending a notice thereof to Customer or posting the revised DPA on the Interai website, and Customer’s continued use of the Software thereafter means that Customer accepted those changes.
CCPA ADDITIONAL TERMS
- Interai shall comply with the obligations of a “service provider” as defined in CCPA/CPRA.
- Customer shall disclose Personal Data to Interai solely for: (i) a valid business purpose; and (ii) Interai to perform the Services.
- Interai is prohibited from: (i) selling or sharing Personal Data; (ii) retaining, using, or disclosing Personal Data for any purpose other than for the business purposes specified in this Agreement, including a commercial purpose other than providing the Services or as otherwise permitted by the CCPA/CCRA; (iii) retaining, using, or disclosing the Personal Data outside of the Agreement; and (iv) combining the Personal Data that Interai receives from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that Interai may combine personal information to perform any business purpose as defined in regulations adopted pursuant to the CCPA/CPRA.
- Interai acknowledges that Customer discloses Personal Data only for limited and specified purposes, as set forth herein.
- Customer may take reasonable and appropriate steps to help ensure that Interai uses the Personal Data transferred to it in a manner consistent with Customer’s obligations under the CCPA/CPRA.
- Interai shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA/CPRA provided that such notice shall not derogate from Interai’s responsibilities under this DPA so long as it is in effect.
- Customer may, upon notice to Interai, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
- Both parties certify that they understand and will comply with the restrictions set forth in this Exhibit A to the DPA.
DETAILS OF THE PROCESSING
Subject matter. Interai will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing
- Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the service(s) to Customer, and providing support and technical maintenance, if agreed in the Agreement
- For Interai to comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
Duration of Processing. Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Interai will Process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data. Interai may process Customer Data through the Services, the extent of which is controlled by Customer, and which may include, but is not limited to the following categories of Personal Data
- Customer employee’s full name
- Customer employee’s email address
Categories of Data Subjects
Interai may process Customer Data through the Services under the Agreement, the extent of which is controlled by Customer, and which may include, but is not limited to the following categories of data subjects:
- Employees, agents, advisors, freelancers of Customer (who are natural persons)
Information Security Management
- All users, including administrator level users have unique User ID
- Strong password is enforced (min. 8 characters, 1 capital, 1 numeric, 1 special character)
- Password recovery system is secure (password request link through corporate email or similar)
- Accounts are locked after defined number of unsuccessful login attempts
- Unused accounts are disabled after a defined period of inactivity
- Access to information systems is restricted according to the role of the individual (need to know and least privileged principles)
- Regular access reviews are undertaken
- More stringent access controls for administrator access are implemented
Cloud hosting accounts where Personal Data processing takes place are protected. Interai implements appropriate measures to ensure the security of the relevant Infrastructure including but not limited to:
- Use of network segregation between cloud hosted Production, Testing and Development environments
- Security Group Firewall rules are configured at the Virtual private Cloud (VPC) service environment
- Secure communications between customer network and the Interai cloud service environment
- Operating system configurations are appropriately hardened: Services, applications and ports that will not be used are disabled; guest accounts are removed or disabled; default and vendor supplied passwords are changed
- The most recent security patches are installed on the system as soon as feasible after following a test
- Anti-virus software is installed, and regularly updated scans are run at regular intervals
- Appropriate measures are in place to handle Denial of Service attacks
- Appropriate measures are in place for intrusion detection and/or protection
- Relevant systems are monitored for relevant vulnerability alerts and security logs are stored
- Relevant systems clocks/time are synchronised using time synchronisation technology
- Measures are in place to detect additions, modifications, or deletions within personal data files
- Network vulnerability scans are performed on a regular basis and vulnerabilities are fixed according to their severity level and the SLA.
- Interai ensures that no equipment personally owned by its employees, (including contractors, temporary employees, and agency workers) is used to store, access or process any Personal Data
- The use of portable media is prohibited by procedure
- Production data at rest is encrypted at volume level with AES-256 bits encryption
- Company owned endpoints have full disk encryption enabled and enforced by a company central EDR service
- Backups remain in the production service environment and are encrypted and stored with the same protection measures that are applied to the service
- Customers’ data is permanently deleted from the production service at the termination of the agreement
- Customers’ data is not used in testing and/or development low level environments
- Communication between customer’s network and the Interai cloud service environment is encrypted with TLS 1.2 or higher
- Interai has monitoring tools that provide alerts of exceptions. Exceptions are investigated by qualified DevOps engineers, who are responsible to launch an incident response in the case of a data breach or a service outage
- When a breach is identified, it will be determined if it leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed, that is event that is likely to result in a risk to the rights and freedoms of natural persons, including any lack of availability of Personal Data
- In the case of an incident that has an impact on customer’s data, the customer will be notified ASAP and no later than 24 hours from confirmation of the incident by Interai
- Interai will undertake remedial action and investigate the incident to carry out any recovery or other action necessary to remedy the security breach
- Interai’s Incident Response (IR) team will take the required actions to contain, respond and restore the availability and access to Personal Data in a timely manner
- IR team will analyse circumstances/context to determine the root cause
- IR team will identify Personal Data involved and affected individuals
- At the conclusion of the incident, a Lessons Learned summary will be documented and shared with the customer
Backup and DR
- Backups have a 14 days retention period
- Restoration procedure, data readability and integrity of backups are periodically tested
- Access to data in backups is restricted to authorized personnel
- We have a set of procedures and policies that are enforced by automations and scheduled tasks
- We conduct annual internal audits of all company departments
- We are audited by a 3rd party on an annual basis
- We conduct a 3rd party annual application penetration test and fix all findings of Medium and higher prior to moving software into production service environment