Data Processing Addendum
As part of the services (“Services”) provided under the Master Services Agreement (the “Agreement”) between NetSPI LLC (“NetSPI”) and Client, NetSPI may inadvertently gain access to Personal Data on behalf of Client or otherwise receive Personal Data of Client employees in the form of business contact information or login credentials. This Data Processing Addendum (the “Addendum”) shall apply if and to the extent that such activities constitute Processing of such Personal Data, as defined below. “Client” means the entity that entered into the Agreement with NetSPI, and such entity’s Affiliates to the extent that their data is processed as part of the engagement between NetSPI and Client.
This Addendum describes the parties’ obligations with respect to Personal Data Processed under the Agreement. This Addendum is hereby incorporated into and made a part of the Agreement. Any capitalized terms not defined herein will have the definition used in the Agreement. The terms of this Addendum will control to the extent inconsistent with the Agreement.
1. Definitions. In this Addendum, these terms will have the following meanings:
“Controller” means a person that, either alone or with another person, determines the purposes and means of Processing Personal Data, and includes a “Business” as defined by CCPA.
“Data Incident” means any unauthorized destruction, loss, alteration, disclosure, acquisition or use of, or access to, Personal Data transmitted, stored or otherwise Processed under this Addendum, including any such event that may require a Controller to provide notice to Data Subjects or regulatory authorities under applicable Data Protection Laws.
“Data Protection Laws” means all state, federal, or international laws relating to data protection, privacy, data security, or Data Incidents that are then in effect and applicable to a party or Personal Data Processed under the Agreement. Data Protection Laws may include, without limitation: Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018, the UK GDPR (as defined in the Data Protection Act 2018), and Cal. Civ. Code §§ 1798.80 et seq., 1798.100 et seq. and 11 CCR § 999.300 et seq. (“CCPA”).
“Data Subject” means any natural person to whom, or household to which, Personal Data relates.
“Personal Data” means any data of Client in the possession or control of NetSPI that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject, to the extent such data us defined as “Personal Information”or analogous definitions in, and regulated by, applicable Data Protection Laws.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a person, to the extent that person Processes Personal Data on behalf of a Controller, including persons defined as “Service Providers” or similar under analogous definitions under applicable Data Protection Laws.
“Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords, mother’s maiden name, or date of birth; (f) criminal history; or (g) any other information or combinations of information that falls within the definition of “special categories of data” or “sensitive personal information” or analogous definitions in applicable Data Protection Laws.
2. Compliance. NetSPI will comply with all applicable Data Protection Laws applicable to NetSPI’s Processing of Personal Data.
3. Controller/Processor. The parties intend for Client to act as the Controller, and NetSPI to act as the Processor with respect to the Personal Data Processed under the Agreement and this Addendum.
4. Processing Purpose/Limitation. Client authorizes NetSPI to Process Personal Data: (a) as necessary to provide the Services, subject to the specifications and limitations set forth in the Agreement, this Addendum, and Schedule 1; and (b) as otherwise mutually agreed in advance and in writing. NetSPI will not retain, use, or disclose any Personal Data for any purpose other than the direct business relationship between the parties, or for the purpose of providing services to another person or entity except: (i) as necessary to fulfill Client’s authorized business purposes as provided herein; or (ii) as otherwise required by applicable law. NetSPI will not sell (as defined in applicable Data Protection Law) or share (as defined in CCPA) any Personal Data Processed hereunder. NetSPI may not combine Personal Data received from or Processed on behalf of Client with Personal Data it receives from or on behalf of third parties, except that NetSPI may combine Personal Data to perform any business purpose (as defined by CCPA), provided such purposes do not include cross context behavioral advertising, or for advertising or marketing purposes where such combination is prohibited by applicable data protection laws (e.g. for opted out consumers). NetSPI shall Process Sensitive Data only as necessary to perform the Services, and NetSPI shall limit the use or disclosure of Sensitive Data as required under applicable Data Protection Law, or as required in response to a Rights Request.
5. Authorized Persons. NetSPI will use reasonable efforts to ensure that persons authorized by NetSPI to Process the Personal Data, including without limitation all approved Subprocessors (as defined below), are under an appropriate contractual or statutory obligation of confidentiality and security with respect to such Personal Data.
6. Subprocessing. NetSPI may appoint additional Processors to Process Personal Data on NetSPI’s behalf or perform its obligations under the Agreement (“Subprocessor”). All Subprocessors used by NetSPI are hereby approved by Client. NetSPI will require its Subprocessors to comply with obligations substantially similar to those required of NetSPI under this Addendum. NetSPI shall authorize Subcontractors to Process Personal Data only to the extent necessary to perform the Subprocessor’s obligations.
7. Termination. NetSPI will cease Processing Personal Data upon (a) the termination or expiration of the Agreement, or (b) upon the request of the Client, and in each case, at Client’s option, either return or delete all copies of Personal Data and unless (and solely to the extent and for so long as) required by applicable law. NetSPI’s obligations under this Addendum shall survive any termination of the Agreement or Addendum for so long as NetSPI remains in possession or control of, has access to, or otherwise Processes Client’s Personal Data.
8. Security. Taking into account the state of the art, the costs of implementation, NetSPI’s size, the nature of NetSPI’s business, the categories of Personal Data Processed, and purposes for which such Personal Data will be Processed, NetSPI shall implement appropriate technical, organizational, and physical security measures to ensure a level of security appropriate to protect Personal Data from unauthorized access, use, modification, disclosure, or Processing other than that permitted by this Addendum. NetSPI’s security program shall be documented in writing, and in all material respects, meet the requirements of Data Protection Laws.
9. Data Incidents. NetSPI shall promptly investigate, and use reasonable efforts to contain and remediate any Data Incident. NetSPI shall notify Client without undue delay via email if NetSPI becomes aware of a Data Incident.
10. Data Subject Rights. NetSPI will promptly notify Client of (a) any communication from a Data Subject exercising any rights in Personal Data or the Processing thereof (including any request to limit the use or disclosure of Sensitive Data) under applicable Data Protection Laws (“Rights Request”), and (2) any inquiry or notice from any supervisory authority regarding a party’s Processing of Personal Data under this Addendum or compliance with applicable Data Protection Laws. NetSPI will cooperate as reasonably necessary, including through the use of appropriate technical and organizational means, to assist the Client in the fulfilment of its obligations in relation to a Rights Request or in connection with any response to Data Subjects or supervisory authorities. To the extent NetSPI receives a Rights Request directly from a Data Subject regarding data Processed under this Addendum, then NetSPI shall not respond to such Rights Request, except as required by applicable Data Protection Law or in order to direct the Data Subject to contact Client in relation to the Rights Request.
11. International Transfers. Client authorizes NetSPI’s Processing of Personal Data, subject to the terms of this Addendum, anywhere in the world, including by any company owned by, controlled by, or under common ownership or control with NetSPI. NetSPI shall use reasonable efforts to ensure that Personal Data remains adequately protected in relation to such transfer, to the extent required under Applicable Data Protection Law. The parties shall negotiate in good faith any further agreements or supplemental measures which may be required under applicable Data Protection Laws in relation to the international transfer of Personal Data prior to any such transfer. To the extent the Services require transfers of Personal Data subject to Data Protection Laws of the EEA or UK, to NetSPI outside such jurisdictions, the transfer measures set forth in Schedule 2 shall apply, if attached hereto.
12. Non-Compliance Notice. NetSPI will inform Client if, in its opinion, an instruction of Client violates any Data Protection Laws.
13. Priority. To the extent of any inconsistency or conflict among the following with respect to the requirements for NetSPI’s Processing of Personal Data, the order of precedence shall be: (1) Schedule 2 (if applicable); (2) Schedule 3 (if applicable); (3) this Addendum; and (4) the Agreement.
14. Changes. In the event of any change in the Data Protection Laws, the Parties will negotiate in good faith toward an agreement on any additional contractual terms which may be required following such change.
Schedule 1 – Data Processing
| Processing – Service Provider (Section 4) | ||||
|---|---|---|---|---|
| Controller Activities – Controllers activities relating to Processing under the Addendum | The use and receipt of NetSPI Services for Client’s ongoing business operations, under and in accordance with, and for the purposes that are anticipated and permitted in, this DPA and the Agreement between the parties. | |||
| Processor Activities – Controllers activities relating to Processing under the Addendum | Processing of Client employee work contact information for performance of the Services; processing of Personal Data inadvertently discovered, or purpose discovered in an in-scope manner (such as escalation of privilege), during performance of Services solely for performance of those Services. | |||
| Categories of Personal Data Processed – The following categories of Personal Data will be Processed in connection with NetSPI’s Processing as a Service Provider/Processor |  Identity Data/IDs Gov’t ID Data Contact Data Commercial/ Transactional Data Financial/ Payment Data | Device/ Network Data Inference Data User Content Audio/ Visual Records Biometric Data Genetic Data Health Data | Geolocation Data Student Records Prof./ Employment Data Protected Class Data Race/ Ethnic Origin, Religious Beliefs, Union Membership Communications Content | |
| Categories of Sources of Personal Data – The Personal Data Processed in connection with the NetSPI’s Processing as a Service Provider/ Processor will come from the following sources. | Individuals/ Users (first party) Client/ Customer (third party) | Inference/ Analysis Data Aggregators | Automatic Collection | |
| Categories of Data Subjects – The Personal Data Processed in connection with NetSPI’s Processing as a Service Provider/ Processor relates to the following categories of individuals. | Consumers/ Users Client Employees/ Personnel | Minors 13 > 16 Minors < 13 | Clinical Patients Students Other [Describe] | |
| Business Purpose of Processing – The Personal Data Processed in connection with NetSPI’s Processing as a Service Provider/ Processor will be Processed for the following purposes and business objectives. | Auditing Information Security Debug/Stability | Ephemeral Customer Marketing Services Internal R&D | Safety/QA NetSPI Product improvement/ enhancement Other [Describe] | |
| Categories of Third Party Recipients – Personal data Processed in connection with NetSPI’s Processing as a Service Provider/Processor will be shared by NetSPI with the following categories of third parties: | Clients Service Providers | Affiliates Successors | Data Aggregators Other [Describe] | |
| Subprocessing (Section 7) | ||||
| Subprocessors – NetSPI may use the following Subprocessors to Process Personal Data under the Agreement | Processor | Purpose | Retention | |
| NetSPI India Private Ltd. NetSPI UK Ltd. NetSPI Canada Ltd. | NetSPI, LLC subsidiaries who may also be engaged to perform client cybersecurity services. | For no longer than is necessary for the business purposes for which the regulated information was processed. | ||
| Miscellaneous | ||||
| Duration of Processing | For the Term of the Agreement | |||
| Frequency of Data Transfer. How often data will be transferred between parties | Continuous On Request/ Periodic One Time | |||
| Data Retention – Period for which data retained | For the Term of the Agreement (including any transition periods) and as otherwise specified in the Agreement and Addendum. | |||
| Processing Jurisdictions | United States, India, Canada, England and Wales | |||
Schedule 2 – International Transfer Provisions
1. Definitions:
i. “European Data Protection Laws” means: Regulation 2016/679 (“GDPR”), Directive 2002/58/EC (the “ePrivacy Directive”), and any laws, regulations, or rules implementing the foregoing, or implemented in European Union Member States thereunder, and any successor directives or regulations thereof then in effect, as well as the UK Data Protection Act 2018, the UK GDPR (as defined in the Data Protection Act 2018), the UK Privacy in Electronic Communications (EC Directive) Regulations 2003; and Swiss Data Protection Act 2020.
ii. “Standard Contractual Clauses” mean the standard contractual clauses adopted by the COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as well as any amendments, replacements or other supplementing provisions (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0915&locale=en).
iii. “Restricted Transfer” means a transfer covered by Chapter V of UK GDPR.
iv. “UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0 (21 March, 2022), issued under S1198A(1) of Addendum 2018 (available at: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf.)
v. “UK GDPR” has the definition set forth in Section 3 of the Data Protection Act 2018 (UK).
2. Transfers from EEA. Client agrees that NetSPI may Process Personal Data outside the European Economic Area (“EEA”) as part of the Services. Any transfers of Personal Data subject to European Data Protection Laws outside the EEA shall be Processed subject to: (i) an adequacy decision of the European Commission; or in the absence thereof; (ii) in accordance with the Standard Contractual Clauses; (iii) subject to a recipient’s Binding Corporate Rules program; (iv) any derogations or other transfer measures provided under GDPR Art. 49. With respect to the transfers between Client (or its Affiliate(s) entitled to receive services under the Agreement) domiciled in the EEA and NetSPI, such transfers shall be subject to the Standard Contractual Clauses, which are entered into and completed as follows (and are incorporated, as completed below, into this Addendum by this reference):
2.1 The parties agree that “Module Two” (Controller-to-Processor) of the Standard Contractual Clauses shall apply to this Addendum, with the Client (or its Affiliate(s) entitled to receive services under the Agreement) domiciled in the EEA, and identified on Schedule 1.A. hereto, shall be the “Controller(s)” and NetSPI shall be the “Processor;”
2.2 In Clause 7, the optional docking clause will apply;
2.3 In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set out in Section 6 of the Addendum;
2.4 In Clause 11, the optional language will not apply;
2.5 In Clause 17, Option 1 shall apply, and the Standard Contractual Clauses will be governed by the law of the Agreement, provided that if such law is not the law of an EU member state, or if the Agreement does not contain a governing law provision, the Standard Contractual Clauses will be governed by the laws of Ireland;
2.6 In clause 18(b), Option 2 shall apply, disputes will be resolved before the courts specified in the Agreement, provided that if such law is not the law of an EU member state, or if the Agreement does not specify a venue/forum, disputes will be resolved before the courts of Ireland;
2.7 Annex I.A. is completed as set forth in the Addendum as supplemented by Schedule 1. Annex I.B. of the Standard Contractual Clauses shall be completed as set forth on Schedule 1 of this Addendum to this Agreement, and the list of Subprocessors shall be set forth as on Schedule 1.
2.8 Annex I, Part C of the Standard Contractual Clauses: The competent supervisory authority shall be the supervisory authority with authority over the data exporter, or if none, Ireland.
2.9 Section 7 of the Addendum, as supplemented by Schedule 1 of this Addendum,] serves as Annex II of the Standard Contractual Clauses.
2.10 The transfer impact assessment and supplemental measures set forth on Schedule 2 shall apply to the extent of any data exports to the United States. The parties shall agree to negotiate in good faith for the addition of any further supplemental terms required by applicable law to complete and execute the Standard Contractual Clauses for each Customer transferring Personal Data under the Standard Contractual Clauses.
3. Transfers from the UK. Client agrees that NetSPI may transfer Personal Data subject to the UK GDPR outside the United Kingdom (“UK”) as part of the Services. Restricted Transfers of Personal Data subject to UK GDPR outside the UK shall be made shall be pursuant to the Standard Contractual Clauses, as further amended by the UK SCC Addendum, which is completed as follows, and incorporated as such into this Agreement by this reference:
3.1 Table 1 shall be completed with the relevant information of the Client (or its Affiliate(s) entitled to receive services under the Agreement) domiciled in the UK, and the Parties identified on Schedule 1.A. hereto, with the “start date” the Effective Date of the Agreement;
3.2 Table 2: The selection shall be “the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum” and the table shall be completed as follows:
i. Only Module 2 is in operation;
ii. Clause 7 (Docking Clause) will apply;
iii. Clause 11 (Option) will not apply;
iv. Clause 9a (Prior Authorisation or General Authorisation) will be “General Authorisation”
v. Clause 9a (Time Period) will be as Set forth in Section 6 of this Addendum.
3.3 Table 3 shall be completed as set forth in Sections Schedule 1-II of this Addendum; and
3.4 Table 4: the selection shall be “Data Exporter”.
Schedule 3 – Transfer Impact Assessment and Supplemental Measures (US)
1. Scope
This Addendum (US) applies to the transfer to the United States of Personal Data subject to the Data Protection Laws of the EEA, UK, or Switzerland.
2. Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 8 of the Clauses:
Organizational security measures set forth in the Addendum.
3. Description of the parties’ assessment of the Processing in light of Clauses 8 of the Clauses and applicable US law, and description of supplemental controls or security measures implemented to ensure appropriate safeguards when Processing Personal Data in the United States:
A. Applicability and Impact of US Law
The parties acknowledge that US law, in particular EO 12333 and FISA § 702, may authorize the bulk collection of data transmitted to or Processed by certain parties in the United States. Specifically, Section 702 authorizes the bulk collection of data from “Communications Services Providers” (as defined in the Stored Communications Act)[1], and EO 12333 authorizes passive bulk collection of communications sent primarily via Tier 1 communications providers and cloud service providers.[2] Therefore, the telecommunications and cloud service providers used by the data importer in connection with the provision of its services could, in theory, be subject to requests from the US government authorizing the bulk collection of personal data Processed by data importer.[3]
The parties acknowledge that any bulk collection and Processing authorized under EO 12333 and FISA § 702 does not comply with the EU Charter of Fundamental Rights Articles 7, 8, and 47 due to non-US residents’ inability to seek judicial recourse with respect to, and the lack of limits on the scope and purpose of Processing inherent in, such bulk collection. Accordingly, the parties agree that the risk of a FISA’s application to the personal data Processed hereunder is low.
The parties acknowledge that US federal and state authorities may have access to and Process personal data through other lawful access requests. However, such measures (such as general court orders, subpoenas, or warrants) are not known to authorize bulk collection. Further, the evidentiary procedures and judicial processes unavailable under FISA/EO 12333 remain generally available in connection with such lawful access requests. Specifically, data Processed pursuant to non-FISA subpoenas, court orders, or warrant applications are limited in purposes and scope, and allow for judicial recourse, each in a manner sufficient to ensure adequate protections and that have been determined to be consistent with the EU Charter of Fundamental Rights.[4] Accordingly, the parties agree that it is not necessary at this time to consider or implement supplemental controls to ensure appropriate protection unless data importer’s Processing is known to be subject to Processing under FISA § 702 or EO 12333.
B. Supplemental Controls
In order to ensure appropriate safeguards are in place and ensure the protection of EU residents’ fundamental rights given the nature and scope of US law, the data importer will mitigate known risks using the following controls.
With respect to passive bulk collection via telecommunications networks, data importer and exporter agree to follow best practices to ensure data is encrypted in transit, thereby deidentifying Personal Data at the point of interception. Specifically, the parties agree to implement the following “Supplemental Controls”:
i. Use a minimum of TLS v1.2 to provide an encrypted channel for the transmission of Personal Data over telecommunications networks using HTTP (such as web traffic, web/mobile application connections, etc.)
ii. Ensure administrative and maintenance sessions and other external connections to any remote computing environment are secured through the use of at least TLS v1.2. or appropriate VPN connections.
With respect to bulk collection by cloud providers, or as a result of data importer’s use of shared tenant cloud infrastructure, in addition to the security measures described above:
i. Data importer will encrypt all files at rest in all shared tenant environments using a minimum of AES-256.
ii. Cloud Application Server is encrypted using keys managed by the cloud provider key management service. All Personal Data accessed via the Application Server and stored in the cloud service is managed solely by data importer, and the cloud service provider cannot decrypt Personal Data itself; decryption of Personal Data is authorized solely by data importer, and solely in connection with its performance of services on behalf of data exporter.
iii. Virtual Private Cloud infrastructure and other logical isolation techniques to limit data availability and Processing via shared infrastructure or multi-tenant routing.
iv. Data importer will ensure administrative and maintenance sessions, third party integrations/connections, and other external connections to the remote computing environment are secured through the use of at least TLS v1.2. or appropriate VPN connections.
C. Additional Commitments
Where authorized by law, data importer will notify EU data subjects of any request relating to their personal information. Further, to the extent the request is known to data importer and remedies are available under applicable law (e.g. CLOUD Act challenges or common law ‘comity’ procedures), data importer will assist the data exporter or any data subject in objecting to any order or request that they believe may authorize the bulk collection of Personal Data transferred under these Clauses, and if permitted by applicable law data importer shall not disclose or authorize the Processing of any requested Personal Data until all administrative or judicial processes pertaining to such objections have been fully adjudicated or exhausted.
Citations
[1] 50 USC § 1881a(h)(2)(vi) (requiring FISA requests to include certification of assistance by “Communication Service Provider”); 50 USC § 1881(b)(4)(defining Electronic Communication Service Provider as “(A) a telecommunications carrier, as that term is defined in section 153 of title 47; (B) a provider of electronic communication service, as that term is defined in section 2510 of title 18 [‘any service which provides to users thereof the ability to send or receive wire or electronic communications’]; (C) a provider of a remote computing service, as that term is defined in section 2711 of title 18 [‘the provision to the public of computer storage or Processing services by means of an electronic communications system’] (D) any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored; or (E) an officer, employee, or agent of an entity described in subparagraph (A), (B), (C), or (D).
[2] CJEU Judgment of 16.7.2020 (Case C-311/18) ¶ 62-63.
[3] See e.g. Guachten zum akutellen Stand des US-Überwachungsrechts und der Überwachungsbefugnisse (Englisch), Datenschutzkonferenz (Bayerisches Landesamt für Datenschutzaufsicht), Questions I.1.3, I.1.5, available here.
[4] See e.g. C(2016) 4176 § 3.2.