Strada Supplier Data Protection Addendum

Last updated: September 2024

This Data Protection Addendum (this “DPA”) is subject to the underlying framework or services agreement between Strada and Supplier (the “Agreement”), pursuant to which Supplier may be required to process Personal Information (as defined below). Capitalized terms used but not defined in this DPA shall have the meanings ascribed thereto in the Agreement.

In consideration of the mutual covenants contained herein, and other valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions 

1.1. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or EU Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or EU Member State law.

1.2. “Data Protection Laws” means all applicable laws and regulations regarding privacy, security or data protection, including but not limited to, the California Consumer Privacy Act of 2018 (“CCPA”), , the EU General Data Protection Regulation 2016/679 (“GDPR”), the Gramm-Leach-Bliley Act (“GLBA”), the UK Data Protection Act of 2018, and such other state, province and national laws and regulations that may apply, as any are amended, repealed or replaced. The use of “Data Protection Laws” herein means collectively all, a combination of, or any single, such law or regulation.

1.3. “Data Subject” means, with respect to any Personal Information, an identified or identifiable natural person.

1.4. “Personal Information” means any information or data processed by Supplier that (a) relates to an identified or identifiable natural person, where a Data Subject, directly or indirectly, from such information or data alone or in combination with other information or data processed by or on behalf of Supplier, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, or (b) is otherwise protected under the Data Protection Laws. Personal Information includes any other information that constitutes ‘personal information’, ‘personal data’, personally identifiable information’ or similar terms under applicable Data Protection Laws

1.5. “Processing” or “Process(es)” means (a) any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means, including collection, storage, adaptation or alteration, retrieval, use, disclosure, erasure or destruction, and (b) any other activity involving Personal Information included in the definition of “processing” under Data Protections Laws.

1.6. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

1.7. “Restricted Transfer” means a transfer of Personal Information from the European Union (“EU”) or the European Economic Area (“EEA”) to any third country not recognized by the European Commission as providing an adequate level of protection.

1.8. “Standard Contractual Clauses” or “SCCs” means the EU standard contractual clauses for the transfer of personal data from the EU or the EEA to third countries, or any successor documents or transfer mechanisms. As of the Effective Date, a reference to the SCCs means the applicable module of Commission Implementing Decision (EU) 2021/914.

1.9. “Subprocessor” means any person (other than an employee) or other entities, including Supplier’s affiliates, appointed by or on behalf of Supplier to Process Personal Information for or on behalf of Strada.

Section 2. Processing Personal Information.

2.1. Instructions; Limits on Processing. Strada hereby appoints and instructs Supplier to Process Personal Information only for the purposes of: providing services, goods or software for or on behalf of Strada; complying with applicable law; and complying with any other instruction provided by or on behalf of Strada (the “Purpose”). As defined by CCPA, and where applicable, the Purpose is a “Business Purpose”. Where Supplier Processes Personal Information on behalf of Strada for its clients, Supplier will act as Processor under the instructions of a client of Strada, with the client of Strada being the Controller (Strada shall make the client’s instructions available to the Supplier prior to the Processing). Where Supplier Processes Personal Information for Strada, it acts as a Processor of Strada, with Strada being the Controller. Whether Supplier Processes Personal Information for or on behalf of Strada, it shall only Process Personal Information in accordance with the documented instructions which may be given throughout the duration of the Order. Supplier shall only collect, retain, use, disclose or otherwise Process Personal Information for the Purpose and it shall not sell Personal Information (either as that term is commonly understood, or as “Sell” is defined by CCPA or other Data Protection Laws). Supplier shall immediately notify Strada if, in Supplier’s opinion, an instruction provided by or on behalf of Strada violates any Data Protection Law or if Supplier reasonably believes it cannot comply with its obligations under this DPA or any applicable Data Protection Laws, in which case, the Parties will cooperate in good faith to identify appropriate measures to address the situation, including and up to the termination of the Order. Personal Information disclosed to Supplier by or on behalf of Strada will only be provided to Supplier, and Supplier shall only Process Personal Information, for a Purpose. Supplier certifies that it understands and will comply with all of the limits on Processing set forth in this Section 2, including this subpart 2.1 and all other subparts of this Section 2. Strada’s instructions to Supplier will comply with Data Protection Laws and Strada will not and shall not sell Personal Information to Supplier.

2.2. Limits on Disclosure. Supplier shall not disclose any Personal Information to any third party except as necessary to fulfil the Purpose and otherwise in accordance with this DPA. If Supplier or any of its representatives is requested or required to disclose or otherwise Process any Personal Information by law or legal process (including governmental or judicial authorities, including law enforcement), then Supplier shall inform the relevant authority that Supplier is a Processor of the Personal Information and that Strand has not authorized Supplier to disclose the Personal Information to the authority, and (if permitted by law) promptly notify Strada and reasonably cooperate in Strada’s efforts to obtain an appropriate protective order or other remedy.

2.2.1. Such notification shall include, at least, (a) information about the Personal Information requested, (b) the requesting authority, (c) the legal basis for the request and (d) the response provided (if any).

2.2.2. If Supplier is or becomes aware of any direct access by public authorities to Personal Information, then Supplier must inform Strada immediately and without undue delay with all information available to the Supplier and shall update Strada at regular intervals if it becomes aware of additional information (if permitted by applicable law).

2.2.3. If Supplier is prohibited to notify Strada, in accordance with applicable law, then Supplier agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, and as soon as possible, to Strada. Supplier agrees to document its best efforts in order to demonstrate them upon request of Strada.

2.2.4. Supplier shall, under any circumstances, regardless of whether it is permitted or not to notify Strada, review or assess the legality of the request and challenge the request, if it deems that there are reasonable grounds to consider that the request is unlawful under applicable law, and shall seek measures with a view to suspending the effects of the request. Such review or assessment and challenge shall be documented and made available to Strada or the competent authority upon request.

2.2.5. Where despite Supplier’s best efforts the disclosure of Personal Information cannot be avoided, Supplier shall only provide or disclose the minimum amount of Personal Information when responding to a request for disclosure.

2.2.6. Supplier shall preserve the information pursuant to Section 2.2.1 to 2.2.5 for, at least, the duration of the Order.

2.3. Compliance with Data Protection Laws. Each Party shall comply with its obligations under Data Protection Laws. Supplier shall provide reasonable assistance to Strada (or a client of Strada) with meeting its obligations under Data Protection Laws in relation to the Processing of Personal Information, taking into account the nature of Supplier’s Processing and the information available to Supplier.

2.4. Data Subject Rights. Supplier shall promptly notify Strada if it receives any request from a Data Subject asserting its rights under Data Protection Laws with respect to their Personal Information. Supplier will not respond to any such request except on the instructions of Strada or as required by Data Protection Laws, in which case Supplier shall to the extent permitted by such Data Protection Laws inform Strada of such requirement prior to such response. Supplier will provide Strada with reasonable assistance in its efforts to fulfil its obligations to respond to such requests, including by providing access to or information about, deleting or modifying the relevant Personal Information, in each case, to the extent required under and in accordance with Data Protection Laws. If Supplier is unable to provide any such assistance for reasons permitted under Data Protection Laws, Supplier shall promptly notify Strada of such fact and shall provide such assistance promptly after the reasons for not doing so have expired.

2.5. Return and Destruction. Upon written request of Strada, or following termination or expiration of the Order, Supplier shall, and shall require its Subprocessors to, (a) return a complete copy of all Personal Information to Strada by secure file transfer in customary machine-readable format and (b) delete or render permanently anonymous all other copies of Personal Information. Supplier shall comply with any such written request within five (5) business days (or less, if required by Data Protection Laws). Supplier and its Subprocessors may retain Personal Information as necessary to fulfil the Purpose and comply with applicable law, in which case the terms of this DPA shall continue to apply to such Personal Information for so long as it is retained.

2.6. Recordkeeping. Supplier shall keep accurate and up-to-date records regarding any Processing of Personal Information, including (a) records regarding access to and security of the Personal Information, the purposes and categories of Processing the Personal Information and its Subprocessors and (b) any other records as required by Data Protection Laws.

2.7. Employees. Personal Information shall only be accessed by Supplier’s employees and other personnel who require such access to assist Supplier in connection with the Purpose. Unless otherwise restricted by applicable local laws, Supplier will subject all new employees to a comprehensive pre-employment background check in accordance with local laws and customs. Supplier will require that written agreements that include non-disclosure and confidentiality provisions are signed by all new employees prior to their work on behalf of Supplier in conduct of the Services. Supplier will periodically provide employees with comprehensive data security and privacy training, not less than once per year.

2.8. Subprocessors. Supplier shall not subcontract any of the Processing without the prior authorization of Strada (and in certain cases, without the prior authorization of Strada’s client). Before any approved Subprocessor Processes Personal Information, Supplier will perform adequate due diligence to determine that such Subprocessor is capable of providing the level of protection of Personal Information required by this DPA. The arrangement between Supplier and each Subprocessor will be governed by a written contract that contains requirements that are consistent and no less stringent than those that apply to Supplier under this DPA. Supplier represents that it maintains a vendor security program that assesses Subprocessors’ compliance with such contracts. Upon Strada ’s written request, Supplier shall make Subprocessor data protection terms available to Strada (redacted, if necessary, to protect any confidential information).

2.9. Data Protection Impact Assessment and Prior Consultation. Supplier shall provide assistance to Strada with any data protection impact assessments, and any consultations with supervising authorities or other data privacy authorities.

Section 3. Security Measures and Policies.

3.1. Technical and Organizational Measures. Supplier shall implement and maintain appropriate physical, technical, organizational and administrative measures reasonably designed to protect against the unauthorized destruction, loss, access to or alteration of Personal Information, including the security measures in Exhibit A (Technical and Organizational Measures) of this DPA. The security measures implemented by Supplier to protect Personal Information shall be consistent with, and no less stringent than, what is required under Data Protection Laws and will ensure a level of security appropriate to the harm that might result from a Data Security Incident (defined below) and the nature of the data to be protected. Supplier shall implement and maintain written privacy and information security policies consistent with industry standards and this DPA.

3.2. Security Questionnaire. Upon Strada’s written request, to confirm compliance with this DPA, as well as any applicable laws and industry standards, Supplier shall promptly and accurately complete, within thirty (30) business days, a written information security questionnaire provided by Strada or a third party on Strada’s behalf regarding Supplier’s business practices and information technology environment in relation all Strada and Client Data being handled and/or services being provided by Supplier to Strada pursuant to this DPA. Supplier shall fully cooperate with such inquiries. Strada will provide Supplier with the results of its security questionnaire. If results of the security risk rating are “High”, Supplier will implement a mitigation plan within thirty (30) days to reduce the risk rating to a level acceptable to Strada. If results of the security risk rating are “Medium”, Supplier will implement a mitigation plan within sixty (60) days to reduce the risk rating to a level acceptable to Strada. If results of the security risk rating are “Low”, Supplier will implement a mitigation plan within ninety (90) days to reduce the risk rating to a level acceptable to Strada. If Supplier is unwilling or unable to implement a mitigation plan that is acceptable to Strada, Strada, without penalty and without notice, is able to terminate this DPA and the Agreement. In such case, Strada shall be responsible for any portion of the fees owed to Supplier for any Services rendered prior to the effective date of such termination.

Section 4. Data Security Incident Notification and Response.

4.1. Supplier shall notify Strada without undue delay and in accordance with the requirements of applicable Data Protection Laws, but in no event more than twenty-four (24) hours after becoming aware of a confirmed or reasonably suspected breach of security by Supplier or any of its Subprocessors leading to the unlawful or unauthorized access, alteration, destruction, disclosure or loss of Personal Information (a “Data Security Incident”).

4.2. In the event of a Data Security Incident, Supplier shall, without undue delay, (a) investigate the impact of such Data Security Incident, (b) identify the root cause of such Data Security Incident, (c) remedy the Data Security Incident and (d) prevent a reoccurrence of such Data Security Incident.

4.3. Supplier will provide Strada, without undue delay, information regarding the nature and consequences of the Data Security Incident, to the extent known by Supplier, including any such information necessary to allow Strada to notify relevant parties in accordance with Data Protection Laws. Supplier shall update Strada at regular intervals about new or updated information involved the Data Security Incident.

Section 5. Audits. 

Notwithstanding any provision of the Order or other agreements that may exist between the Parties to the contrary, Strada may, at its own expense and upon reasonable advance notice to Supplier, audit Supplier’s books, records and other documents to the extent necessary to verify Supplier’s compliance with the terms of this DPA; provided that Strada may not exercise its audit rights hereunder more than one time in any calendar year (unless required by a client of Strada, as a follow-up audit after discovery of a non-compliance issue or otherwise required by law or in connection with any audit initiated by a governmental entity having jurisdiction over Strada or a client of Strada). Each such audit shall occur during normal business hours and shall not unreasonably interfere with Supplier’s normal business operations, and Supplier shall not be required to disclose or otherwise provide access to any information the disclosure of which would cause Supplier to violate any confidentiality obligation or applicable law. Strada may engage a third party to conduct any such audit so long as such third party is not a competitor of Supplier and enters into a confidentiality agreement. Audits under this DPA shall be subject to any additional terms and conditions regarding audits in the Order that do not conflict with the terms in this Section 5.

Section 6. Details of Processing. 

Certain information regarding Supplier’s Processing of Personal Information required by Article 28(3) of GDPR is set forth in Exhibit B (Details of Processing) attached hereto and incorporated herein. Strada may make reasonable amendments to Exhibit B by notice to Supplier from time to time as Strada reasonably considers necessary to meet such requirements.

Section 7. Restricted Transfers. 

If the Parties anticipate a Restricted Transfer, Strada and Supplier hereby agree to enter into the SCCs with Strada as Data Exporter and Supplier as Data Importer (or as applicable). The SCCs shall come into effect on the commencement of the Restricted Transfer and shall reference and be incorporated into this DPA. In the event of any conflict or inconsistency between this DPA and the SCCs, to the extent of such conflict or inconsistency, the SCCs shall prevail. The Parties confirm that Exhibit B shall be deemed Annex 1 to the SCCs and that the security measures taken set forth in Exhibit A (Technical and Organizational Measures) shall be deemed to be Annex 2 of the SCCs.

7.1. Where the Strada is the Controller and Supplier the Processor, the Parties shall use Module II (Controller to Processor) of the SCCs and where Strada is the Processor and Supplier another Processor (to Strada’s Client), the Parties shall use Module III (Processor to Processor) of the SCCs, both of which shall be populated as follows:

7.1.1. Clause 7: The optional docking clause shall apply.

7.1.2. Clause 9: Option 1 shall apply, and the time period for notice of Subprocessor changes shall be as agreed under this DPA.

7.1.3. Clause 11(a): The optional language shall not apply.

7.1.4. Clause 13 and Annex I.C.: The supervisory authority of the Republic of Ireland shall be the competent supervisory authority.

7.1.5. Clause 17: Option 1 shall apply, and the governing law shall be the laws of the Republic of Ireland.

7.1.6. Clause 18(b): Disputes shall be resolved by the courts of the Republic of Ireland.

7.1.7. Annex I: (a) the List of Parties shall be as set forth in the SFA and any applicable SOW, Change Order or other document more fully describing the applicable Services; (b) the Descriptions of Transfer shall be as set forth in Exhibit B (Details of Processing); and (c) the Competent Supervisory Authority shall be as set forth above.

7.1.8. Annex II: the Technical and Organisational Measures shall be as set forth in Exhibit A (Technical and Organisational Measures).

7.2. The Parties may supplement the Annexes to the SCCs in any SOW, Change Order or other document more fully describing the applicable Services, which shall be deemed incorporated herein by reference with respect to such Services. In the event of any conflict or inconsistency between this DPA or any such supplemental document, on the one hand, and the SCCs, on the other hand, the SCCs shall prevail to the extent required by Data Protection Laws. Notwithstanding anything to the contrary herein, in no event shall this DPA or any such supplemental document, directly or indirectly, prejudice the rights of data subjects under Data Protection Laws.

7.3. UK IDTA. If any transfer of Personal Information between Strada and Supplier requires execution of the UK IDTA in order to comply with Data Protection Laws, Strada, as Processor (or Controller, where applicable) and data exporter, and Supplier, as Processor and data importer, hereby enter into (and incorporate herein by reference) the UK IDTA effective as of the commencement of such transfer. The UK IDTA shall be populated as follows:

7.3.1. Part 1, Table 1 (Parties): The parties shall be as set forth in the Services Agreement and any applicable SOW, Change Order or other document more fully describing the applicable Services.

7.3.2. Part 1, Table 2 (Selected SCCs, Modules and Selected Clauses): The UK IDTA shall be appended to the SCCs as set forth in Section 7.1.

7.3.3. Part 1, Table 3 (Appendix Information): The appendix information shall be as set forth in Section 7.1.

7.3.4. Part 1, Table 4 (Ending this Addendum when the Approved Addendum Changes): Neither Party may end the UK IDTA as set out in Section 19 thereof.

7.4. Swiss Data Protection Act. The SCCs, as set forth in Section 7.1, shall apply to any cross-border transfers of Personal Information governed by the Swiss Data Protection Act, with the following modifications:

7.4.1. Any references in the SCCs to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Data Protection Act, and any references in the SCCs to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss Data Protection Act.

7.4.2. Any references in the SCCs to “EU”, “Union”, “Member State” or “Member State law” shall be interpreted as references to Switzerland and the laws of Switzerland, as the case may be, and shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the SCCs. In furtherance of the foregoing, Clause 17 of the SCCs shall be modified to provide that the governing law shall be the laws of Switzerland.

7.5. Any references in the SCCs to “competent supervisory authority” or “competent courts” shall be interpreted as references to the Federal Data Protection and Information Commissioner of Switzerland (the “Swiss FDPIC”) and the courts of Switzerland, as the case may be. In furtherance of the foregoing, (a) Clause 13 and Annex I.C. of the SCCs shall be modified to provide that the Swiss FDPIC shall have authority over data transfers governed by the Swiss Data Protection Act (it being agreed that authority over data transfers not governed by the Swiss Data Protection Act shall be as otherwise set forth in this DPA) and (b) Clause 18(b) of the SCCs shall be modified to provide that disputes shall be resolved by the courts of Switzerland.

Section 8. STRADA Affiliates & Clients. 

The terms of this DPA shall apply equally to any Personal Information Processed by or on behalf of Supplier for any Strada affiliate or client.

Section 9. Term; Effect of Termination. 

The term of this DPA shall begin on the Effective Date and shall continue for so long as the Order remains in effect or Supplier or any of its Subprocessors possesses or retains any Personal Information. The rights and obligations of the Parties which, by their nature, should survive termination or expiration of this DPA, shall survive such termination or expiration.

Section 10. Miscellaneous.

10.1. Entire Agreement. This DPA shall be deemed incorporated into and a part of, the SFA, but to the extent of any conflict or inconsistency between the DPA and the SFA, the DPA shall supersede the SFA for purposes of this DPA. Except as expressly provided in this DPA, all of the terms and provisions of the SFA are and will remain in full force and effect and are hereby ratified and confirmed by the Parties. This DPA, together with the SFA, constitutes the sole and entire agreement of the Parties with respect to the subject matter hereof and thereof, and supersedes all prior and contemporaneous understandings, agreements, representations and warranties, both written and oral, with respect to such subject matter. For the avoidance of doubt, all claims and liabilities arising from or related to this DPA shall be brought under and subject to the terms of the SFA, including any provisions therein regarding indemnification, limitation of liability, dispute resolution, choice of law or choice of forum.

10.2. Severability. If any provision of this DPA, or the application thereof to any person, place or circumstance, shall be held by a court of competent jurisdiction to be invalid, void or unenforceable, the remainder of this DPA and such provision as applied to other persons, places or circumstances shall remain in full force and effect and such invalid, void or unenforceable provision shall be enforced to the fullest extent permitted by law.

10.3. Amendment; Waiver. The Parties agree to take such reasonable actions as are necessary to amend this DPA from time to time as is necessary for the Parties to comply with Data Protection Laws. This DPA may not be amended or otherwise modified unless such amendment or modification is set forth in writing, identified as amendment or modification of this DPA and signed by an authorized representative of each of the Parties. No provision of this DPA may be waived unless such waiver is set forth in writing, identified as a waiver of this DPA and signed by an authorized representative of the waiving Party. Except as otherwise provided in this DPA, no failure or delay by a Party in exercising any right under this DPA shall operate as a waiver thereof, nor shall any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right.

10.4. Assignment. Neither Party may assign this DPA or any of its rights herein without the prior written consent of the non-assigning Party and any purported assignment without such consent shall be void and unenforceable; provided that each Party may, without obtaining such consent, assign this DPA as part of an assignment pursuant to and in accordance with the SFA.

10.5. No Third-Party Beneficiaries. This DPA shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns and except with respect to STRADA affiliates, nothing herein, express or implied, is intended to or shall confer upon any other person any legal or equitable right, benefit or remedy of any nature whatsoever under or by reason of this DPA.

10.6. Relationship of the Parties. The relationship between the Parties is that of independent contractors and this DPA will not establish any agency, partnership, joint venture, fiduciary, franchise or employment relationship between the Parties (or between one Party and a representatives of the other Party). Neither Party by virtue of this DPA shall have any right, power or authority, express or implied, to bind the other Party.

10.7. Force Majeure; Excused Performance. Notwithstanding anything to the contrary in this DPA, Supplier shall not be liable for, nor be deemed to be in breach of this DPA as a result of, any failure to comply with its obligations hereunder or any other act or omission, to the extent such failure is directly attributable to (a) any failure by Strada to comply with its material obligations hereunder or under Data Protection Laws, (b) any act or omission of any vendor or other representative of (other than Supplier and its Subprocessors) or (c) any act of God or other act or circumstance beyond the reasonable, unforeseeable, and unavoidable control of Supplier; provided that nothing in this Section shall limit or otherwise affect Supplier’s obligation to execute its business continuity and disaster recovery program (which shall be in place and maintain during the entire duration of the Order). Each of the Parties shall use commercially reasonable efforts to mitigate the effects of any of the foregoing circumstances.

10.8. Counterparts. This DPA may be executed in any number of counterparts, each of which when so executed and delivered shall constitute an original, but such counterparts shall constitute one and the same instrument. This DPA may be executed and delivered electronically.

10.9. Interpretation. Any ambiguity in this DPA shall be resolved in favor of a meaning that permits both Parties to comply with Data Protection Laws. Unless the express context otherwise requires, the words “hereof”, “herein”, “hereunder” and words of similar import refer to this DPA as a whole and not to any particular provision of this DPA, references to a specific section refer to the sections in this DPA unless otherwise expressly provided and the words “include”, “including” and words of similar import shall be deemed to be followed by the words “without limitation”. The captions or headings in this DPA are for convenience only and shall not be considered a part of or affect the construction or interpretation of any provision of this DPA.

10.10. Business Contact Information. Strada and Supplier may Process the other Party’s business contact information, which includes Personal Information such as an individual’s name and business e-mail address, to contact, identify or authenticate an individual in a professional or business capacity. This Processing is carried out as independent controllers whether they do business to deliver and receive the Services. Each of the Parties has implemented and follows appropriate technical and organizational measures to protect the other Party’s business contact information.

10.11. All notices under this DPA to be sent to contacts in the Agreement.

Exhibit A – Technical and Organizational Measures

1. Physical Security.  Supplier maintains security controls for entry points, holding areas, telecommunications areas and cabling areas that contain information processing systems or media containing Personal Information.  Security controls include:

a. Access control and restriction by use of a defined security perimeter, appropriate security barriers, security cameras, entry controls and authentication controls, and maintenance of access logs for a period of time specified by law or policy.  All system clocks must be synchronized with national or international time source;
b. Where Supplier ID cards are deployed, a requirement for all personnel, vendors, contractors and visitors to wear some form of visible identification to identify themselves as employees, contractors, vendors or visitors;
c. A clear desk/clear screen policy;
d. An automatic idle-lock for unattended equipment;
e. A requirement for visitors to Supplier’s premises to be escorted at all times; and
f. Where technically feasible and commercially reasonable, cameras and CCTVs.

2. Business Continuity and Disaster Recovery.  Supplier maintains the following business continuity controls and safeguards:

a. Business continuity and disaster recovery program is based on generally accepted industry practices designed to reduce the effects of a significant disruption in Supplier’s operations;

b. Business continuity and disaster recovery programs are tested at least annually;

c. Backups of Supplier systems and software used in the delivery of Services are replicated to its disaster recovery facility so that recovery can take place when there is a disaster; and

d. Data is replicated to its disaster recovery facility, providing a scheduled point in time backup of the data to ensure integrity.

3. Network Security Controls.  Supplier maintains the following network security controls and safeguards:

a. Defense-in-depth design with perimeter routers, network switches and firewall devices and default deny-all policy to protect internet presence;
b. Least privilege and authenticated access for network users and equipment;
c. Control of internet access by proxies;
d. Two-factor authentication for remote access with a non-reusable password;
e. Intrusion detection system to monitor and respond to potential intrusions;
f. Real-time network event logging and investigation using a security information event management tool;

g. Content filtering and website blocking using approved lists;

 

h. Limitations on wireless access to the network;

i. Policies and standards for wireless network devices;
j. Prohibitions on bridging of wireless and other networks, including the corporate network; and
k. Detection and disassociation of rogue wireless access points.

4. Platform Security Controls.  Supplier maintains the following platform security controls and safeguards:

a.Maintenance of configuration/hardening standards;

b. Control of changes through an internal change control process;

c. Prohibition on installing unauthorized hardware and software;

d. Where technically feasible, automatic session timeouts after periods of inactivity;

e. Removal of vendor-supplied defaults (accounts, passwords and roles) during installation;

f. Removal of services and devices that are not required by valid business needs;

g. Use of an anti-virus program with timely updates;

h. Non-privileged account access on workstations and laptops;

i. Full disk encryption and active firewall installation on laptops;

j. Development and test platforms will be segregated from operational platforms used in providing the Services;

k. Development tools such as compilers, assemblers, editors and other general-purpose utilities within the production environment will not be permitted unless expressly required for the delivery of the Services, in which case access is restricted; and

l. Software and hardware used in the delivery of the Services will be updated in line with industry standards, vendor support and security guidelines.

 

5. Application Security Controls.  Supplier maintains the following application security controls and safeguards:

a. Defense-in-depth with the use of n-tier architecture for separation and protection of data;

b. A secure software development life cycle (SSDLC) for application development that includes training, development, testing and ongoing assessments;

c. Documentation, review, testing and approval before changes are implemented into production;

d. Identification, testing and remediation of application vulnerabilities and patches in a timely manner; and

e. A prohibition on using production data in development and testing environments.

 

6. Data and Asset Management.  Supplier maintains the following data and asset management security controls and safeguards:

a. Technical, administrative and physical safeguards;

b. Regular backups and storage of Personal Information;

c. Encryption of Personal Information transmitted over public networks and on removable media;

d. Use of a data loss prevention tool for end point data transfer activities involving social security numbers or other national identification numbers;

e. Use of an inventory program to control the installation, ownership and movement of hardware, software and communications equipment;

f. Encryption, sanitization, destruction, or purging of all physical media containing Personal Information leaving Supplier’s custody to ensure that residual magnetic, optical, electrical or other representation of data has been deleted, and is not recoverable; and

g. Logical separation of Personal Information of Company and each of Company’s client’s Personal Information from one another, and from the other clients of Supplier.

7. Access Control and Management.  Supplier maintains the following access control and management security controls and safeguards:

a. Monitoring and logging access and use of the Supplier systems that contain Personal Information, including logging of access attempts to the Supplier systems that contain Personal Information with regular reviews of logs and necessary actions to protect against unauthorized access or misuse;

b. Periodic review and validation of role-based access to Personal Information and prompt removal of unnecessary access;

c. Unique logon ID and passwords;

d. Strong passwords with minimum length, complexity and expiration requirements;

e. Disabling access after a limited number of failed login attempts; and

f. Rejection of previously used passwords.

 

8. Risk Management.  Supplier maintains the following risk management controls and safeguards:

a. An information security risk management system aligned to ISO 27001 standard (BS EN ISO/IEC 27001);

b. A cycle of risk assessments of critical assets, the frequency of which are dependent on the number of residual risks identified at each site;

c. Risk analysis is documented using standardized risk assessment templates; and

d. Risk management activities are established when risks are defined and agreed with the asset owners.

 

9. Vulnerability and Patch Management.  Supplier takes the following measures designed to identify and mitigate vulnerabilities that threaten Supplier’s ability to enforce the confidentiality, integrity, and availability of Personal Information:

a. A vulnerability monitoring process that provides alerts or notifications of new fixes available, and the resulting timeframe for remediation;

b. Regular scanning to identify and remediate vulnerabilities promptly;

c. Classification of vulnerabilities based on severity to allow for remediation based on predetermined service level expectations; and

d. Penetration tests at least once annually and prior to any new release or upgrade, on applicable Supplier environments, including perimeter vulnerability testing, internal infrastructure vulnerability testing and application testing.

 

Exhibit B – Details of Processing

Processing Operations

The Processing operations to be carried out under this DPA are as follows: The Personal Information received on behalf of Company will be used for providing services, software under the Order (e.g., payroll and other business process outsourcing services, benefits-related services, software consulting and related activities) and may include, but are not limited to:

  • providing data processing software, equipment, and services through various tools, applications and vendors;
  • storing Personal Information;
  • preventing unauthorized access to or modification of Personal Information (and other non-Personal Information);
  • programing, printing and assembling, reviewing, and modifying statements as directed by Company;
  • communicating with data subjects in connection with services provided to Company; and
  • providing reference materials as requested by Company.

The purpose of the processing operations above is to provide the Services in accordance with the Order.

Data Subjects

The Personal Information to be Processed by Supplier for or on behalf of Company concern the following categories of data subjects: current, former and/or prospective employees, their relatives and family members and other representatives of Company, Company’s affiliates or clients of Company.

Categories of Personal Information to be Processed

The Personal Information processed by Supplier comprise of the following categories: 

HR/Employee data: that may include but is not limited to: full name; employee identification number; contact information (including home and work address, home and work telephone numbers, mobile telephone numbers, web address data, home and work email address); marital status; citizenship information; date of birth; gender; drivers’ license information; national and governmental identification information; financial information (including salary and account balances); benefit program information (including benefit elections, beneficiary information, claims information, benefit plan account numbers and balances, and date of retirement);  payroll information; professional or employment information (including date of hire, employment status, pay history, tax withholding information, performance records, leave information, and date of termination); and such other personal information that may be transferred from (or on behalf of) Company to Supplier for performing services for Company.

Related persons’ data: may include but not limited to: name, date of birth, gender and contact information of dependents or beneficiaries (including home address; home and work telephone numbers; mobile telephone numbers).

Special categories of Personal Information

None, unless specifically agreed in the Agreement.