Data Processing Addendum
This Data Processing Addendum (“DPA”) is incorporated by reference to and made a part of the agreement or Order to which Customer obtains the right or subscription license to use the BigID Products and/or Services and is made by and between Customer and BigID (collectively the “Agreement”).
This DPA is supplements the Agreement and sets out the terms that apply when Personal Data (defined below) is Processed (defined below) by BigID under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with applicable laws, and with due respect for the rights and freedoms of individuals whose Personal Data are Processed.
Customer understands, acknowledges and agrees that this DPA applies to itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent BigID processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to Customer pursuant to the Agreement, BigID may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
Data Processing Terms
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity for so long as control exists. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and BigID but has not signed its own Order with BigID and is not a “Customer” as defined under this DPA.
- “BigID” means the BigID entity that is a party to both the Agreement and to this DPA, which may be BigID, Inc., a company incorporated in the State of Delaware.
- “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
- “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
- “Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have access to the Subscription Services.
- “Customer Data” means any data, information or material originated by Customer that Customer submits to BigID, collects through its use of the Subscription Services or provides to BigID in the course of using the Subscription Services.
- “Data Subject” means the identified or identifiable person to whom Personal Data relates.
- “EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein, as well as, for the purposes of this DPA, the United Kingdom.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to: (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
- “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
- “Standard Contractual Clause” or “SCC Services” means the standard contractual clauses annexed to the European Commission’s decision (C (2010)593) of 5 February 2010 for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, the text of which is available at: https://eurlex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087
- “Subscription Services” means the services provided by BigID to Customer under the Agreement.
- “Sub-processor” means any Processor engaged by BigID.
- “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
2.Processing of Personal Data
- Role of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, BigID is the Processor and that BigID will engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
- Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of BigID as Processor. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.
- BigID’s Processing of Personal Data. BigID shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order(s); (ii) Processing initiated by Customer’s Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
- Details of the Processing. The subject-matter of Processing of Personal Data by BigID is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
3.Rights of the Data Subjects
- Data Subject Request. BigID shall, to the extent legally permitted, promptly notify Customer if BigID specifically receives a request from a Data Subject with regards to Customer’s Data in order to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Taking into account the nature of the Processing, BigID shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, BigID shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent BigID is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from BigID’s provision of such assistance.
4.European Specific Provisions
Compliance. BigID, as Processor, has complied and will continue to comply with all applicable privacy and data protection laws including, but not limited to, EU Data Protection Legislation. Customer, as Controller, shall be responsible for ensuring that, in connection with Customer Data and the Subscription Services:
- It has complied, and will continue to comply, with all applicable privacy and data protection laws, including EU Data Protection Legislation; and
- It has, and will continue to have, the right to transfer, or provide access to, the Personal Data to BigID for processing in accordance with the terms of the Agreement and this DPA.
- Data Protection Impact Assessment. Upon Customer’s request, BigID shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to BigID. BigID shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to Section 4.2 of this DPA, to the extent required under the GDPR.
- Supervisory Authorities. BigID shall notify the Customer without undue delay if a Supervisory Authority or law enforcement authority makes any inquiry or request for disclosure regarding Personal Data.
- Order of precedence. In the event that Services are covered by more than one transfer mechanism, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the Standard Contractual Clauses set forth in this DPA.
- Customers covered by the Standard Contractual Clauses (the “SCC Services”): The Standard Contractual Clauses and the additional terms specified in this Section apply to (i) Customer which is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom and, (ii) its Authorized Affiliates. For the purpose of the Standard Contractual Clauses, the aforementioned entities shall be deemed “data exporters”.
- Confidentiality. BigID shall ensure that its personnel engaged in the Processing of Personal Data are informed of the sensitive nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.
- Reliability. BigID shall take commercially reasonable steps to ensure the reliability of any BigID personnel engaged in the Processing of Personal Data.
- Limitation of Access. BigID shall ensure that BigID’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
- Data Protection Officer. BigID has appointed a data protection officer. The appointed person may be reached at email@example.com.
- Sub-processors. Customer acknowledges and agrees that BigID may engage BigID Affiliates and third party sub-processors (collectively, “Sub-processors”) in connection with the provision of the Services. BigID has entered into a written agreement with each Sub-processor containing data protection obligations no less protective than those in this Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.
- Sub-processor List. BigID shall make available to Customer the current list of Sub-processors on its webpage https://bigid.com/sub-processors/ , which shall include the identities and details of those Sub-processors and their country of location, if known (“Sub-processor List”). Customer can subscribe to notifications of new Sub-processors or changes to the Sub-processor list. The Sub-processor List as of the date of execution of this DPA shall be considered authorized by Customer.
- Changes to Sub-processors. In order to provide a better service for our Customers, BigID may need to add or make changes to our Sub-processor List as described in Section 6.2. Customer may object to the appointment of an additional Sub-processors within fourteen (14) calendar days of such notice on reasonable grounds relating to the Protecting of Personal Data if such Sub-processor cannot meet the standards of this DPA, in which case BigID shall have the right to cure the objection through one of the following options (to be selected at BigID’s sole discretion): (a) BigID will cancel its plans to use the Sub-processor with regard to Personal Data or will offer an alternative to provide the Subscription Services without such Sub-processor; or (b) BigID will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the Sub-processor with regard to Personal Data; or (c) If none of the above options are reasonably available and the objection has not been resolved to the reasonable mutual satisfaction of the parties within a thirty (30) day period after BigID’s receipt of Customer’s objection, either party may terminate the Agreement and Customer will be entitled to a pro-rata refund for prepaid fees for Subscription Services not performed as of the date of termination.
- Emergency Replacement. BigID may replace a Sub-processor if the need for the change is urgent and necessary to provide the Subscription Services and the reason for the change is beyond BigID’s reasonable control. In such instance, BigID shall notify the Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Sub-processor pursuant to Section 6.3 above.
- Liability. BigID shall be liable for the acts and omissions of its Sub-processors to the same extent BigID would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
- Controls for the Protection of Customer Data. BigID shall implement appropriate technical and organizational measures taking into account the state of the art, the costs of implementation, and the nature, scope, context and purpose of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk in order to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use (each a “Security Incident ”) and in accordance with BigID’s security standards.
- Confidentiality of Processing. BigID shall ensure that any person that it authorizes to Process the Personal Data (including its staff, agents, subcontractors and Sub-processors) shall be subject to a duty of confidentiality that shall survive the termination of their employment and/or contractual relationship.
- Security Incidents. Upon becoming aware of a Security Incident, BigID shall notify Customer without undue delay and pursuant to the terms of the Agreement, but within no more than seventy-two (72) hours and shall provide such timely information as Customer may reasonably require to enable Customer to fulfil any data breach reporting obligations under application legislation. BigID will take steps to immediately identify and remediate the cause of such a Security Incident.
- Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, BigID shall make available to Customer that is not a competitor of BigID (or Customer’s independent, third-party auditor that is not a competitor of BigID) a copy of BigID’s then most recent third-party audits or certifications, as applicable.
8.Return & Deletion of Customer Data
- Deletion or Return of Data. Upon termination or expiration of the Agreement, BigID shall, in accordance with the terms of the Agreement, upon request to delete or make available to Customer for retrieval all relevant Personal Data in BigID’s possession, save to the extent that BigID is required by any applicable law to retain some or all of the Personal Data. In such an event, BigID shall extend the protections of the Agreement and this DPA to such Personal Data and limit any further Processing of such Personal Data to only those limited purposes that require the retention, for so long as BigID maintains the Personal Data.
- Except as amended by this DPA, the Agreement will remain in full force and effect.
- If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
- Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
SCHEDULE 1 – DETAILS OF THE PROCESSING
Nature and Purpose of Processing
BigID will Process Personal Data as necessary to perform the Services pursuant to the Agreement and as further instructed by Customer in its use of the Services. This includes:
- Providing the Service(s) to the Customer.
- For Customer to be able to use the Services.
- For Customer to comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
- Performing the Agreement, this DPA and/or other contracts executed by the Parties.
- Providing support and technical maintenance, if agreed in the Agreement.
- Resolving disputes.
- Enforcing the Agreement, this DPA and/or defending BigID’s rights.
- Management of the Agreement, the DPA and/or other contracts executed by the Parties, including fees payment, account administration, accounting, tax, management, litigation; and
- Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
- All tasks related with any of the above.
Duration of Processing
Subject to Section 8 of the DPA, BigID will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Categories of Data Subjects
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Customer’s end users or consumers and/or clients
- Customer’s users authorized by Customer to use the Services
- Prospects, Customers, business partners and vendors of Customer (who are natural persons)
- Employees, agents, advisors, vendors, freelancers of Customers (who are natural persons) or contact persons of Customer’s prospects, customers, business partners and vendors
- Employees, agents, advisors, freelancers of Customer (who are natural persons)
- Customer’s End Users authorized by Customer to use the Services
Type of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Contact information (email, phone, physical address)
- ID data