Data Processing Protocol
This Data Processing Protocol (“Protocol“) governs JIA, Inc. (“Processor“) and the Customer (“Controller“), each a “Party” and together the “Parties.” This Protocol is effective as of the date (the “Effective Date“) of the Master Service Agreement (the “Agreement“) executed by both Parties, except as the Protocol may be amended by JIA.
This Protocol applies to the personal data (as defined below) processed (as defined below) in connection with the software and/or services provided under the Agreement (collectively, the “Services“). The Services involve the use of a third-party cloud provider (currently Microsoft Corporation, which provides Azure) and may fall into one of three categories as designated in the Agreement:
[SCENARIO ONE] Processor procures and administers the third-party cloud provider relationship. In this scenario, Controller hereby authorizes Processor to contract directly with the third-party cloud provider on behalf of and/or for the benefit of Controller, and the third-party cloud provider is a subcontractor of Processor – disclosed as such in this Protocol.
[SCENARIO TWO] Controller procures the third-party cloud provider relationship, and Processor manages Controller’s use of the third-party cloud provider. In this scenario, Controller is responsible for contracting directly with the third-party cloud provider (including without limitation any data-processing agreements required by applicable law) and is solely responsible for all obligations related to that third party. The third-party cloud provider is a processor of Controller. Processor is, in this scenario, a processor for only Controller.
[SCENARIO THREE] Controller procures and manages the third-party cloud provider relationship. Same as SCENARIO TWO, above, except that – given Controller’s procurement and management – it is possible that Processor will not process any personal data on behalf of Controller. This Protocol may still be necessary, however, if Controller requests that Processor provide support – which may involve incidental processing of personal data.
From the Effective Date, this Protocol is a part of and incorporated into the Agreement, so references to “Agreement” in the Agreement will include this Protocol. Except for the changes made by this Protocol, the Agreement remains unchanged and in full force and effect. To the extent of a conflict between this Protocol and the Agreement, this Protocol will control.
BACKGROUND
(A) Processor is providing, or will provide, Services for or on behalf of Controller pursuant to the Agreement.
(B) The Parties acknowledge and agree that the Services may involve personal data processing in the United States, including without limitation the transmission of personal data to and from the United States, and the storage of personal data in the United States.
(C) The purpose of this Protocol is to set out the data protection terms that will apply to personal data processing to ensure that the data protection rights and freedoms of individuals remain protected in accordance with Applicable Data Protection Law (as defined below).
IT IS AGREED:
1. Definitions
In this Protocol:
1.1 “business,” “consumer,” “controller,” “processor,” “data subject,” “personal data,” “processing” (and “process”), “service provider,” and “special categories of data” will have the meanings given in Applicable Data Protection Law. “Personal information” (as that term is used in Applicable Data Protection Law) will be included within the phrase “personal data,” and “consumer” will be included within the phrase “data subject” used in this Protocol.
1.2 “Applicable Data Protection Law” means any privacy or data protection legislation that applies to the Parties from time to time regarding the processing of personal data under the Agreement, including without limitation the GDPR and CCPA (both as defined below).
1.3 “Authorized Persons” means, with respect to each Party, any person authorized by that Party to process Data (including such Party’s staff, agents, and subcontractors).
1.4 “CCPA” means the California Consumer Privacy Act, California Civil Code Section 1798.100, et seq., and its implementing regulations. As of January 1, 2023, “CCPA” will include the California Privacy Rights Act and its implementing regulations.
1.5 “EEA” means the European Economic Area and, as used in this Protocol, will include Switzerland.
1.6 “GDPR” means the General Data Protection Regulation, (EU) 2016/679, and—as used in this Protocol—includes the UK-GDPR (with regard to the United Kingdom (“UK”)), and the Federal Act on Data Protection (with regard to Switzerland).
1.7 References to “instructions” and related terms mean Controller’s written instructions for processing Data (as defined below), which consist of the terms of the Agreement and this Protocol.
1.8 “Model Clauses” means, as applicable:
1.8.1 For data transfers governed by EEA law, the standard contractual clauses for the transfer of Personal Data to third countries from the EEA pursuant to the GDPR and approved by the European Commission under Decision (EU) 2021/914, as currently set out at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (the “EEA Model Clauses”).
1.8.2 For data transfers governed by UK law, the EEA Model Clauses plus the mandatory clauses of the approved addendum issued by the UK’s Information Commissioner’s Office (“ICO”), as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (the “UK Addendum Amendment”).
1.8.3 For data transfers governed by the Federal Act on Data Protection (Switzerland), the EEA Model Clauses will apply; provided that they will be amended for such transfers to provide for supervision by the Swiss Federal Data Protection and Information Commissioner, and the term “member state” will not be interpreted in such a way as to exclude Swiss data subjects from the possibility of enforcing their rights in Switzerland.
1.9 “Permitted Purpose” has the meaning specified in Section 3; and
2. Relationship of the Parties
Controller is the controller (and in some cases a processor) and hereby appoints Processor as a processor to process the personal data described in the attached Schedule 2. Such personal data is referred to as the “Data.”
3. Purpose Limitation
3.1 Processor will process the Data (and will maintain records of such processing activities) as a processor only as necessary to perform the Services, and only in accordance with the documented instructions of Controller (the “Permitted Purpose“). In addition, to the extent applicable, the Parties acknowledge that (x) Controller is a “business” and Processor is a “service provider” as those terms are defined by the CCPA; (y) Processor’s processing of Data is necessary for the provision of the Services; and (z) Controller will not receive any monetary or other valuable consideration from Processor in exchange for Processor’s access to and processing of Data. If applicable law conflicts with Controller’s documented instructions, Processor will inform Controller of that before processing unless such notification is prohibited by law. In any event, the Parties will equitably adjust the fees paid to Processor if Controller’s written instructions impose additional requirements on Processor. Without limiting the foregoing, in no event will Processor:
(a) process the Data for its own purposes or those of any third party, including selling, renting, releasing, disclosing, disseminating, or otherwise making such Data available to any third party;
(b) assume any responsibility for determining the purposes for which and the manner in which the Data is processed;
(c) disclose the Data to any third party (other than its authorized subcontractors) without the prior consent of Controller, except where and to the extent disclosure is required by any law applicable to Processor.
(d) process the Data in any way that would cause Controller to breach any of its obligations under Applicable Data Protection Law.
3.2 Controller is responsible for ensuring that it is lawfully processing and has all other necessary rights to allow Processor to process the Data. Controller will not provide Processor with access to any Data for which Controller does not possess such rights. Without limiting the foregoing, Controller is responsible for ensuring that any necessary notices are provided, data subject consents are obtained, and for ensuring that a record of such consents is maintained. If consent is revoked by a data subject, Controller is responsible for communicating the fact of such revocation to the Processor and assisting Processor with regard to further processing of that Data.
3.3 Controller is responsible for the accuracy and quality of the Data.
3.4 Controller will use its best efforts to determine if the Services involve processing any personal data originating in Australia, Brazil, the EEA, UK, or Argentina and, if so, will promptly notify Processor. Furthermore, Controller must notify Processor if the Data is subject to any Applicable Data Protection Law other than the CCPA or GDPR so the parties can take steps to enter into additional contractual provisions (if any) necessary to comply with such Law.
3.5 If the Data includes any personal data originating in the EEA or UK, then by entering into this Protocol, Processor and Controller are also hereby signing, entering into, and incorporating into this Protocol the applicable Model Clauses referenced in Section 11, below.
3.6 If a data transfer mechanism being used by the Parties is subsequently modified, revoked, or held by a competent regulator or other governmental authority to be invalid, the Controller and Processor will cooperate in good faith to terminate the transfers being done under that mechanism or pursue a suitable alternate mechanism.
4. Confidentiality of Processing
Processor will ensure that any Authorized Persons will be subject to a duty of confidentiality (whether contractual, statutory, or otherwise), and will not permit any person who is not under such a duty of confidentiality to process the Data. Processor will ensure that all Authorized Persons process the Data only as necessary for the Permitted Purpose.
5. Security
5.1 Processor will implement and maintain appropriate technical and organizational security measures to protect Data from unauthorized or unlawful breaches of security that lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data in Processor’s control (“Security Incident“). Processor’s technical and organizational security measures are set forth in Schedule 3 and may be updated from time to time.
5.2 Controller is responsible for reviewing the information made available by Processor relating to data security and making an independent determination as to whether Processor’s security measures meet Controller’s requirements and legal obligations under Applicable Data Protection Law.
6. Subcontracting
Processor will not subcontract any processing of the Data to a third-party subcontractor without the prior written consent of Controller, which consent will not be unreasonably withheld, conditioned, or delayed. Controller consents to Processor engaging its affiliates and other third-party subcontractors to process the Data provided that: (i) Processor provides at least 10 days’ prior notice of the addition or removal of any subcontractor (including details of the processing it performs or will perform), which notice may be given to Controller by email of such addition or removal; (ii) Processor imposes data protection terms on any subcontractor it appoints that protect the Data to substantially the same standard provided for by this Protocol; and (iii) Processor remains fully liable for any breach of this Protocol that is caused by an act, error, or omission of its subcontractor. Subcontractors as of the Effective Date are set forth in Schedule 4.
7. Cooperation and Data Subjects’ Rights
Taking into account the nature of the processing, Processor will—insofar as is possible—promptly notify Controller of, and provide reasonable assistance to Controller (at Controller’s expense) to enable Controller to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including without limitation its rights of access, correction, objection, erasure, and data portability, as applicable); and (ii) any other correspondence, inquiry, or complaint received from a data subject, regulator, or other third party in connection with the processing of the Data. Processor will not be responsible for responding directly to any request, correspondence, inquiry, or complaint unless otherwise required by law.
8. Security Incidents
8.1 Upon becoming aware of any Security Incident, Processor will inform Controller without undue delay. Processor will use reasonable efforts to identify the cause of such Security Incident and take those steps it deems necessary and reasonable to remediate the cause of such Security Incident to the extent the remediation is within Processor’s control; provided that Processor will have no such obligation if the Security Incident is caused by Controller or any third party retained in connection with the Services.
8.2 Controller will bear the losses and expenses (including reasonable attorneys’ fees) associated with a Security Incident resulting from Controller’s (or any third party’s) negligent actions or omissions or breach of this Protocol, including without limitation any costs: (a) of providing notices of a Security Incident to affected individuals, and to regulators; and (b) of remedying and otherwise mitigating any actual or potential damage or harm of the Security Incident, including without limitation establishing call centers, and providing credit monitoring or credit restoration services.
9. Transfer, Deletion, or Return of Data
Upon request and at Controller’s expense, Controller will be entitled to receive from Processor a copy of all Data that is in Processor’s possession. Processor will provide, at Controller’s expense, any further assistance reasonably requested by Controller in connection with the secure hand-over to a third party of any Data. Processor also agrees, upon request from Controller and at Controller’s expense, to delete or otherwise securely destroy all Data that is in Processor’s possession (including without limitation any Data in the possession of subcontractors). These requirements will not apply to the extent that Processor is required by any law applicable to Processor to retain some or all of the Data, in which event Processor will isolate and protect the Data from any further processing except to the extent required by such law and then return or securely destroy it as soon as possible.
10. Audit
Processor will, upon request at reasonable intervals and if required by Applicable Data Protection Law, make available to Controller all information necessary to demonstrate compliance with the obligations of such Law; provided that the Parties will use best efforts to satisfy all audit obligations through written questionnaires and copies of reports or certifications. If the audit result cannot be obtained in written information, an inspection is also permissible. Controller may (unless Applicable Data Protection Law provides otherwise) request audits under this Section only once per calendar year. All audits and other production of documents and information will be at Controller’s expense and subject to the confidentiality provisions of the Agreement. Processor may condition its compliance under this Section on all third parties receiving information committing in writing to treat all information as confidential.
11. Transfer Mechanism for Data Transfers
11.1 If, in the performance of the Services, Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies in the EEA or UK is transferred out of the EEA or UK to countries, such as the United States, that do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Law, the transfer mechanism(s) listed below will apply to such transfers and can be directly enforced by the Parties (to the extent permitted by Applicable Data Protection Law):
11.1.1 For EEA transfers where Controller is acting in the capacity as a controller and Processor is acting in the capacity as a processor, EEA Model Clauses Module Two (Controller-to-Processor) – subject to the terms in Schedule 1 of this Protocol;
11.1.2 For EEA transfers where Controller is acting in the capacity as a processor and Processor is acting in the capacity of a sub-processor to Controller, EEA Model Clauses Module Three (Processor-to-Processor) – subject to the terms in Schedule 1 of this Protocol;
11.1.3 For UK transfers, either Module Two or Module Three of the EEA Model Clauses (as appropriate) plus the UK Addendum Amendment – subject to the terms in Schedule 1 of this Protocol.
11.1.4 For Swiss data transfers, either Module Two or Module Three of the EEA Model Clauses (as appropriate) – subject to the terms in Schedule 1 of this Protocol.
12. Limitation of Liability
The aggregate liability of Processor and its affiliates arising out of or related to this Protocol is subject to the limitations of liability, warranty limitations, disclaimers, and other warranty and liability exclusions set forth in the Agreement. The foregoing applies regardless of the nature of the claim – whether in contract, tort, or other theory of liability.
13. Indemnification
Controller will defend, indemnify, and hold Processor, its affiliates, subcontractors, and each of their respective owners, directors, officers, managers, members, employees, contractors, and agents harmless from any and all liability, loss, damage, or expense (including attorney fees) to the extent caused by or arising out of (a) the negligence, wilful misconduct, or fraud of Controller or its agents (including without limitation third parties retained in connection with the Services); (b) instructions provided by Controller; or (c) a breach of Controller’s obligations under this Protocol.
14. Miscellaneous
14.1 Section headings and other headings in this Protocol are for convenience of reference only and will not constitute a part of or otherwise affect the meaning or interpretation of this Protocol.
14.2 The provisions of this Protocol are severable. If any term or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability will affect only such term or provision, and the rest of this Protocol will remain in full force and effect.
14.3 Any notice, letter, or other communication contemplated by this Protocol must be provided according to the terms of the Agreement.
14.4 The provisions of this Protocol will endure to the benefit of and will be binding upon the Parties and their respective successors and assigns.
14.5 This Protocol will be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Agreement, unless required otherwise by Applicable Data Protection Law.
Schedule 1
Transfer Mechanisms for EEA, UK, and Swiss Data Transfers
For purposes of the Model Clauses Module Two (Controller-to-Processor) and Model Clauses Module Three (Processor-to-Processor), Controller is the data exporter and Processor is the data importer and the Parties agree to the following. Where this Schedule 1 does not explicitly mention which Module applies, it applies to both of them.
1. References to the Model Clauses and UK Addendum Amendment. The relevant provisions contained in Module Two and Module Three of the Model Clauses are incorporated by reference and are an integral part of this Protocol. The UK Addendum Amendment is also incorporated by reference and an integral part of this Protocol. The information required for the Appendix to the Model Clauses and the UK Addendum Amendment are set out in Schedule 2.
2. Docking Clause. The Parties elect to delete the optional docking clause in the Model Clauses (clause 7).
3. Instructions. This Protocol and the Agreement are Controller’s complete and final documented instructions at the time of signature of the Agreement to Processor for the processing of personal data. Any additional or alternate instructions must be consistent with the terms of this Protocol and the Agreement. For purposes of clause 8.1(a) of the Model Clauses, the instructions by Controller to process personal data include onward transfers to third parties located outside the EEA and UK for the purpose of performing the Services.
Where Controller is acting as a processor, Customer represents and warrants that its processing instructions as set out in the Agreement and this Protocol, including its authorizations to Processor for the appointment of sub-processors in accordance with this Protocol, have been authorized by the relevant controller. Controller will be solely responsible for forwarding any notifications received from Processor to the relevant controller where appropriate.
4. Security of Processing. For purposes of clause 8.6(a) of the Model Clauses, Controller is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in Schedule 3 meet Controller’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing of its personal data as well as the risks to individuals) the security measures implemented and maintained by Processor provide a level of security appropriate to the risk with respect to such personal data. For purposes of clause 8.6(c) of the Model Clauses, personal data breaches will be handled in accordance with section 8 of the Protocol.
5. Audits Under the Model Clauses. The Parties agree that the audits described in clause 8.9 of the Model Clauses will be carried out in accordance with section 10 of the Protocol.
6. General Authorization for Use of Sub-Processors. The Parties elect option 2 under clause 9 of the Model Clauses. For purposes of clause 9(a), Processor has Controller’s general authorization to engage sub-processors in accordance with section 6 of the Protocol. Processor will make available to Customer the current list of sub-processors in accordance with section 6 of this Protocol (where sub-processors are referred to as “subcontractors”). Where Processor enters into Model Clauses Module Three (Processor-to-Processor) with a sub-processor in connection with the provision of the Services, Controller hereby grants Processor and its affiliates authority to provide a general authorization on Controller’s behalf for the engagement of sub-processors by sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such sub-processors.
7. Complaints – Redress. The Parties elect to delete the optional language in clause 11 of the Model Clauses. For purposes of the remaining text in clause 11, and subject to section 7 of the Protocol, Processor will inform data subjects on its website of a contact point for complaints. Processor will inform Controller if it receives a complaint from a data subject with respect to personal data processed under the Agreement, and Processor will without undue delay communicate the complaint to Controller. Processor will not otherwise have any obligation to handle the request (unless otherwise required by law or agreed with Controller).
8. Liability. In addition to the other limitations set forth in the Agreement and Protocol, Processor’s liability under clause 12 of the Model Clauses will be limited to only those damages caused by its processing where it has not complied with its obligations under the Applicable Data Protection Law specifically directed at processors, or where it acted outside of or contrary to lawful instructions provided by Controller – such as specified in Article 82 GDPR.
9. Supervision. Clause 13 of the Model Clauses will apply as follows:
a. Where Controller is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Controller with the GDPR as regards the data transfer will act as competent supervisory authority.
b. Where Controller is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of the GDPR is established will act as competent supervisory authority.
c. Where Controller is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of the GDPR, the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred, or whose behavior is monitored, are located, will act as competent supervisory authority.
d. Where Controller is established in the United Kingdom or falls within the territorial scope of application of the UK-GDPR, the ICO will act as competent supervisory authority.
e. Where Controller is established in Switzerland or falls within the territorial scope of application of the Federal Act on Data Protection (Switzerland), the Swiss Federal Data Protection and Information Commissioner will act as competent supervisory authority insofar as the relevant data transfer is governed the Federal Act on Data Protection.
10. Notification of Government Access Requests. For purposes of clause 15.1(a) of the Model Clauses, Processor will notify Controller (only) and not the data subject(s) in case of government access requests. Controller will be solely responsible for promptly notifying the data subject(s) as necessary.
11. Governing Law. To the fullest extent permitted by law, the governing law for purposes of clause 17 of the Model Clauses will be the law that is designated in the Governing Law section of the Agreement. Otherwise, the EEA Model Clauses will be governed by (a) with regard to the EEA (except Switzerland), the laws of Belgium; (b) with regard to the UK, the laws of England and Wales; and (c) with regard to Switzerland, the laws of Switzerland.
12. Choice of Forum and Jurisdiction. To the fullest extent permitted by law, the courts with exclusive jurisdiction under clause 18 of the Model Clauses will be those designated in the Venue section of the Agreement. Otherwise, the forum with exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the Model Clauses will be the courts of (a) with regard to data transfers involving EEA data subjects (except Swiss data subjects), the courts of Belgium; (b) with regard to data transfers involving UK data subjects, the courts of England and Wales, and (c) with regard to data transfers involving Swiss data subjects, the courts of Switzerland.
13. Appendix. The EEA Model Clauses Appendix will be completed as follows:
a. The contents of section 1 of Schedule 2 will form Annex I.A to the EEA Model Clauses.
b. The contents of section 2 of Schedule 2 will form Annex I.B to the EEA Model Clauses.
c. The contents of section 3 of Schedule 2 will form Annex I.C to the EEA Model Clauses.
d. The contents of section 4 of Schedule 2 will form Annex II to the EEA Model Clauses.
14. UK Data Exports. The information required for Tables 1 to 3 of Part One of the UK Addendum Amendment is set out in Schedule 2. For purposes of Table 4 of Part One of the UK Addendum Amendment, neither party may end the UK Addendum Amendment when it changes.
15. Data Exports from Switzerland. For Swiss data transfers, the EEA Model Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as personal data under the laws of Switzerland – until such laws are amended to no longer apply to a legal entity. In addition, the term “member state” will not be interpreted in such a way as to exclude Swiss data subjects from the possibility of enforcing their rights in Switzerland.
16. Conflict. The Model Clauses are subject to the Protocol. If the Model Clauses are applicable to a particular situation and there is a conflict between the Model Clauses and the Protocol, however, the Model Clauses will control and govern.
Schedule 2
Service Description
1. PARTIES
Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union (and/or UK or Switzerland)
Name: Customer (as such term is defined in the opening paragraph of the Master Service Agreement) (“Controller”)
Address: As set forth in the opening paragraph of the Master Service Agreement
Contact person’s name, position, and contact details: As set forth in Section 6 of the Master Service Agreement
Activities relevant to the data transferred under these clauses: performance of the Services under the Agreement.
Role: For purposes of the Model Clauses Module Two (Controller-to-Processor), Controller is a controller. For purposes of the Model Clauses Module Three (Processor-to-Processor), Controller is a processor.
Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection
Name: JIA, Inc. (“Processor”)
Address: 201 NE Park Plaza, Suite 220, Vancouver, Washington 98684 United States
Contact person’s name, position, and contact details: Glenn Batson (glenn.batson@jenkon.com)
Activities relevant to the data transferred under these clauses: performance of the Services under the Agreement.
Role: processor
2. DESCRIPTION OF THE TRANSFER
a. CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED
Controller may submit personal data to the Services, the extent of which is determined and controlled by Controller in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:
- Independent Sales Force (e.g. Representatives, Consultants, Affiliates), Prospects, Customers, Business Partners, Vendors and Employees of the Controller (who are natural persons)
- Users authorized by Controller to use the Services
b. CATEGORIES OF PERSONAL DATA TRANSFERRED
Controller may submit personal data to the Services, the extent of which is determined and controlled by Controller in its sole discretion, and which may include, but is not limited to the following categories of personal data:
- Basic Identifiers (i.e. Name, Passport, TIN, etc.)
- Contact Information
- Demographic Information
- Financial Information
- Online Identifiers (i.e. IP addresses, cookies, etc.)
- User-generated Content (i.e. social media content, personal website, etc.)
c. SENSITIVE DATA TRANSFERRED (IF APPLICABLE)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None.
d. FREQUENCY OF THE TRANSFER
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous, as requested by the Controller in connection with the Services.
e. NATURE OF THE PROCESSING
The nature of the Processing is the performance of the Services under the Agreement.
f. PURPOSE OF PROCESSING, THE DATA TRANSFER, AND FURTHER PROCESSING
Processor will process personal data as necessary to perform the Services under the Agreement, and as further instructed by Controller in its use of the Services.
g. DURATION OF PROCESSING
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
Subject to section 9 of the Protocol, Processor will process personal data for the duration of the Agreement, unless otherwise agreed upon in writing.
h. SUB-PROCESSOR TRANSFERS
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Consistent with Processor’s processing as stated in subsection 2(f), above, sub-processors will process personal data as necessary to perform the Services pursuant to the Agreement. Subject to section 6 of the Protocol, the sub-processor will process personal data for the duration of the Agreement, unless otherwise agreed in writing.
Identities of the sub-processors currently used for the provision of the Services and their country of location are listed in Schedule 4. The sub-processors may be updated as stated in section 6 of the Protocol.
3. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with clause 13.
See section 9 of Schedule 1 to this Protocol.
4. TECHNICAL AND ORGANIZATIONAL MEASURES
Processor will maintain administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of personal data processed in connection with the Services, as described in Schedule 3 or otherwise made reasonably available by Processor.
Schedule 3
Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
Description of the technical and organizational measures implemented by Processor to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Processor uses reasonable administrative, technical, and physical safeguards, including without limitation encryption, robust passwords, and access controls to limit access to personal information to only those individuals who have a need to know such information to perform Processor ‘s obligations under the Agreement. Processor also maintains a record regarding who has accessed personal information. Processor personnel with access to personal information receives training regarding safeguards and appropriate access to personal information. When Processor has the need to transfer personal information away from the data exporter’s Production environment, data is first removed or scrambled via a “Scrub Script” process provided and maintained by the Processor. After the script is run, data may be transferred via secure file-transfer protocol.
If data exporter requests that Processor access data exporter’s production environment, Processor accesses only what is requested by data exporter – and such access is at all times managed by data exporter and subject to any policies or procedures that data exporter may provide at that time.
As outlined above, Microsoft provides cloud-storage services for Processor pursuant to a contract between Microsoft and Processor. Specifics regarding Microsoft’s technical and organizational measures can be found here: https://docs.microsoft.com/en-us/azure/compliance/. Microsoft’s current form of Data Protection Addendum is available here: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
Additional measures include:
- Pseudonymization and encryption of personal data
- Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
- User identification and authorization
- Protection of data during transmission
- Protection of data during storage
- Events logging
- Limited data retention
Schedule 4
LIST OF SUB-PROCESSORS
The following subcontractors are used by data importer to process personal data under the Agreement:
Entity Name | Subprocessing Activities | Entity Country |
Microsoft Corporation (Azure) | Third-Party Cloud Service Provider | United States, and other countries where Azure Tenant may be hosted as designated in the Agreement. |
Atlassian | HelpDesk Application Provider | United States |
Data importer affiliates:
Entity Name | Entity Country |
Jenkon Mexico S DE RL DE CV | Mexico |
ABOUT JENKON
SITE INFORMATION