Strada DPA Terms
Last updated: October 2024
This Data Protection Addendum (this “DPA”) is subject to the underlying services agreement between Strada and Client (the “Services Agreement”), pursuant to which Strada may be required to process Personal Data (as defined below).
Section 1 – Definitions. Capitalized terms used but not otherwise defined herein shall have the meanings ascribed thereto in the Services Agreement. Unless the express context otherwise requires, any reference to the Services Agreement includes any order form, statement of work or other ordering document entered into thereunder.
1.1. “Data Protection Laws” means all applicable laws and regulations regarding privacy, security or data protection, including, as applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”) the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act of 2020 (“CPRA”), the Gramm-Leach-Bliley Act (“GLBA”), the UK Data Protection Act of 2018, or the UK GDPR, as any are amended, repealed or replaced.
1.2. “Data Subject” means, with respect to any Personal Data, an identified or identifiable natural person.
1.3. “Personal Data” means any information processed by or on behalf of Strada for Client in connection with the Services Agreement that (a) relates to a Data Subject, who can be identified, directly or indirectly, from such information alone or in combination with other information processed by or on behalf of Strada, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person or (b) is otherwise protected under the Data Protection Laws. Personal Data includes any other information that constitutes ‘personal data’, ‘personal information’, personally identifiable information’ or similar terms under applicable Data Protection Laws.
1.4. “Processing” or “Process(es)” means (a) any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, including collection, storage, adaptation or alteration, retrieval, use, disclosure, erasure or destruction, and (b) any other activity involving Personal Data included in the definition of “processing” under Data Protections Laws.
1.5. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data from the European Union (“EU”) or the European Economic Area (“EEA”) to third countries annexed to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any successor documents or transfer mechanisms.
1.6. “Subprocessor” means any person (other than an employee), including Strada’s affiliates, appointed by or on behalf of Strada to Process Personal Data on behalf of Client.
1.7. “UK IDTA” means the International Data Transfer Addendum to the SCCs, version B1.0, approved by the United Kingdom (“UK”) parliament on 21 March 2022, issued under Section 119A of the Data Protection Act 2018 to comply with Article 46 of the UK GDPR when making restricted transfers, or any successor documents or transfer mechanisms.
Section 2. Processing Personal Data.
2.1. Instructions; Limits on Use. Client (as the controller) hereby appoints and instructs Strada (as the processor) to Process Personal Data for the purpose of performing the Services and otherwise complying with any of its obligations or asserting any of its rights under the Services Agreement and this DPA, complying with applicable law and complying with any other instruction provided by or on behalf of Client (the “Purpose”). Strada shall only retain, use, disclose or otherwise Process Personal Data for the Purpose. Client is responsible to provide Strada with any relevant information necessary to perform the Purpose and shall ensure that its instructions to Strada comply with Data Protection Laws. Strada shall immediately notify Client if, in its opinion, an instruction provided by or on behalf of Client is in conflict with any Data Protection Law; provided that Strada shall have no responsibility to seek out or discover such conflicts or to otherwise ensure that such conflicts do not exist. In the event Strada notifies Client of any such conflict, Strada may suspend the execution of the applicable instruction to the extent necessary to avoid such conflict while the Parties cooperate in good faith to resolve such matter in a timely manner.
2.2. Limits on Disclosure. Strada shall not disclose any Personal Data to any third party except as necessary to fulfil the Purpose and otherwise in accordance with this DPA. Client shall only disclose Personal Data to Strada to the extent requested by Strada or as otherwise necessary for the Purpose. Client shall not disclose or share Personal Data with Strada except in the standard and agreed-upon format and manner.
2.3. Compliance with Data Protection Laws. Each Party shall comply with its obligations under Data Protection Laws. Strada shall provide reasonable assistance to Client with meeting its obligations under Data Protection Laws in relation to the Processing of Personal Data, taking into account the nature of Strada’s Processing and the information available to Strada. Strada shall notify Client if it reasonably believes that it cannot comply with its obligations under this DPA or any applicable Data Protection Laws, in which case the Parties will cooperate in good faith to identify appropriate measures to address the situation.
2.4. Supervisory Authority Requests. If Client receives a request for information from a competent supervisory authority in relation to Processing of Personal Data by Strada (including details regarding the Purpose), Strada shall provide reasonable assistance to Client in responding to such request to the extent Client does not otherwise have access to such information, and taking into account the nature of the Processing and information available to Strada.
2.5. Data Protection Impact Assessment and Prior Consultation. Strada shall provide reasonable assistance to Client with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which Client reasonably considers to be required by the Data Protection Laws, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, Strada.
2.6. Data Subject Rights. Strada shall promptly notify Client if it receives any request from a Data Subject asserting rights under Data Protection Laws with respect to their Personal Data. Strada will not respond to any such request except on the written instructions (including email) of Client or as required by Data Protection Laws, in which case Strada shall, to the extent permitted by such Data Protection Laws, inform Client of such requirement prior to such response. Strada will provide Client with reasonable assistance in its efforts to fulfill its obligations to respond to such requests, including by providing access to or information about, deleting or modifying the relevant Personal Data, in each case, to the extent required under and in accordance with Data Protection Laws. If Strada is unable to provide any such assistance for reasons permitted under Data Protection Laws, Strada shall promptly notify Client of such fact and shall provide such assistance promptly after the reasons for not doing so have expired.
2.7. Return and Destruction. Upon written request of Client, or following termination or expiration of the Services Agreement, Strada shall, and shall require its Subprocessors to, (a) return a copy of Personal Data to Client by secure file transfer in Strada’s customary format and (b) delete or render permanently anonymous all other copies of Personal Data. Strada shall comply with any such written request within 20 business days. Strada and its Subprocessors may retain Personal Data as necessary to fulfil the Purpose and comply with applicable law, in which case the terms of this DPA shall continue to apply to such Personal Data for so long as it is retained.
2.8. Recordkeeping. Strada shall keep accurate and up-to-date records regarding any Processing of Personal Data, including (a) records regarding access to and security of the Personal Data, the purposes and categories of Processing the Personal Data and its Subprocessors and (b) any other records as required by Data Protection Laws. This DPA serves as record of processing activities as required under art. 30(2) GDPR.
2.9. Employees. Personal Data shall only be accessed by Strada employees who require such access to assist Strada in connection with the Purpose. Unless otherwise restricted by applicable local laws, Strada requires all new employees be subjected to a comprehensive pre-employment background check in accordance with local laws and customs. Strada requires that agreements that include non-disclosure / confidentiality provisions be signed by all new employees. Strada provides employees with periodic data security and privacy training
2.10. Subprocessors. Client generally authorizes Strada to appoint Subprocessors to support performance of the Services. Strada will list and maintain Strada affiliates and third-party subprocessors that may process personal information to support Strada’s performance of the relevant services, subject to the terms of Strada’s Services Agreement (subscription link: https://splist.stradaglobal.com/sites/splist/pages/Home.aspx). Solely to the extent necessary to comply with Data Protection Laws, Client shall have the right to object to any change within 10 business days of such notice; provided that Client may only object on the basis of reasonable concerns that the new or replacement Subprocessor is not capable of providing the level of protection of Personal Data required by this DPA. If Client does not object to the appointment within such period of time, Strada may engage the new or replacement Subprocessor to Process Personal Data. If Client objects to the appointment within such period of time, Strada may choose to (a) not use such Subprocessor or (b) take the corrective steps requested by Client in its objection and use the Subprocessor. Strada shall work with Client in good faith to make available materials evidencing any Subprocessor’s ability to provide the level of protection of Personal Data required by this DPA. Strada shall remain responsible for the use, disclosure or other Processing of Personal Data by any of its Subprocessors to the same extent as if such use, disclosure or other Processing was by Strada. Before any Subprocessor Processes Personal Data, Strada will carry out adequate due diligence to determine that such Subprocessor is capable of providing the level of protection of Personal Data required by this DPA. The arrangement between Strada and each Subprocessor will be governed by a written contract that contains requirements that are consistent and no less stringent than those that apply to Strada under this DPA. Strada represents that it maintains a vendor security program that assesses Subprocessors’ compliance with such contracts. Upon Client’s written request, Strada shall make a summary of Subprocessor data protection terms available to Client (redacted, if necessary, to protect any confidential information).
2.11 Government Access. If Strada or any of its representatives is requested or required to disclose to a government authority (including law enforcement) or otherwise Process any Personal Data by law or legal process outside the defined Purpose, then Strada shall (if permitted by law) promptly reasonably challenge such request, notify Client and reasonably cooperate (at Client’s expense) in Client’s efforts to obtain an appropriate protective order or other remedy. Strada will disclose to the relevant government authority that Strada is a (i) processor of the Personal Data, that (ii) Client has not authorized such disclosure and that (iii) any and all requests or demands for access to the Personal Data should be notified to or served upon Client. Notwithstanding the foregoing, Client acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority request. In no event will Strada disclose more Personal Data than is required to comply with the request for disclosure.
Section 3. Technical and Organizational Measures. Strada shall implement and maintain appropriate physical, technical, organizational and administrative measures reasonably designed to protect against the unauthorized destruction, loss, access to or alteration of Personal Data, including the measures listed in Exhibit A attached hereto and incorporated herein. The measures implemented by Strada to protect Personal Data shall be consistent and no less stringent than what is required under Data Protection Laws. Strada shall implement and maintain written privacy and information security policies consistent with industry standards.
Section 4. Data Security Incident Notification and Response.
4.1. Strada shall notify Client without undue delay and in accordance with the requirements of applicable Data Protection Laws of any confirmed or reasonably suspected breach of security by Strada or any of its Subprocessors leading to the unlawful or unauthorized access, alteration, destruction, disclosure or loss of Personal Data (a “Data Security Incident”).
4.2. In the event of a Data Security Incident, Strada shall take reasonable and appropriate measures to (a) investigate the impact of such Data Security Incident, (b) identify the root cause of such Data Security Incident, (c) remedy the Data Security Incident and (d) prevent a reoccurrence of such Data Security Incident.
4.3. Strada will provide Client without undue delay information regarding the nature and consequences of the Data Security Incident, to the extent known by Strada, including any such information necessary to allow Client to notify relevant parties in accordance with Data Protection Laws. Strada will not notify any third parties without the prior instruction of Client to do so in writing or where required by law.
Section 5. Audits.
5.1 Client may, at its own expense and upon reasonable advance notice to Strada, audit Strada’s books, records and other documents to the extent necessary to verify Strada’s compliance with the terms of this DPA; provided that Client may not exercise its audit rights hereunder more than one time in any 12-month period (unless otherwise required by law or in connection with any audit initiated by a governmental entity having jurisdiction over Client). Each such audit shall occur during normal business hours and shall not unreasonably interfere with Strada’s normal business operations, and Strada shall not be required to disclose or otherwise provide access to any information the disclosure of which would cause Strada to violate any confidentiality obligation or applicable law. Client may engage a third party to conduct any such audit so long as such third party is not a competitor of Strada and enters into a confidentiality agreement reasonably acceptable to Strada. Audits under this DPA shall be subject to any additional terms and conditions regarding audits in the Services Agreement. Client may not connect hardware to Strada networks or install software on Strada systems to perform audits without prior review and the written consent of Strada. Audits under this DPA shall be subject to any additional terms and conditions regarding audits in the Services Agreement.
5.2 Where Strada demonstrates compliance with industry recognized reports, or approved code of conduct attestations (such as ISO 27001/22301, AICPA SSAE 18 SOC 1, AICPA SSAE 18 SOC 2 Type 2, or EU Cloud Code of Conduct), Client may only audit areas not encompassed by these certifications or approved code of conducts.
Section 6. CCPA/CPRA. This Section shall apply to any Personal Data that is governed by CCPA/CPRA.
6.1. Client represents and warrants to Strada that any Personal Data disclosed by or on behalf of Client hereunder is provided solely for the Purpose, which is a “Business Purpose” (as defined under CCPA/CPRA).
6.2. Strada shall only retain, use and disclose Personal Data for the Purpose and not for any other commercial purpose or otherwise outside the relationship between Strada and Client. Strada shall not sell, share or commingle Personal Data unless expressly permitted by the CCPA/CPRA. Strada shall comply with its obligations under CCPA/CPRA. Strada shall promptly notify Client if it can no longer comply with its obligations under CCPA/CPRA.
6.3. Strada acknowledges and agrees that Client shall have the right to take reasonable and appropriate steps to (a) ensure that Strada uses the Personal Data in a manner consistent with Client’s obligations under CCPA/CPRA and (b) stop and remediate unauthorized use of Personal Data.
6.4. Client shall promptly inform Strada of any consumer request made pursuant to CCPA/CPRA that Strada must comply with, and provide the information necessary for Strada to comply with such request.
Section 7. Details of Processing. Certain information regarding Strada’s Processing of Personal Data required by Article 28(3) of GDPR is set forth in Exhibit B attached hereto and incorporated herein. Client may make reasonable amendments to Exhibit B by notice to Strada from time to time as Client reasonably considers necessary to meet such requirements. Nothing in Exhibit B confers any right or imposes any obligation on any Party.
Section 8. Cross-Border Transfers.
8.1. General. Neither Party will transfer Personal Data across borders unless such transfer complies with Data Protection Laws. The Parties will reasonably cooperate as necessary to determine whether any cross-border transfer of Personal Data between Client and Strada in connection with the Purpose complies with Data Protection Laws.
8.2. SCCs. If any transfer of Personal Data between Client and Strada requires execution of the SCCs in order to comply with Data Protection Laws, Client, as controller and data exporter, and Strada, as processor and data importer, hereby enter into (and incorporate herein by reference) the SCCs effective as of the commencement of such transfer. The Parties shall use Module II (Controller to Processor) of the SCCs, which shall be populated as follows:
8.2.1. Clause 7: The optional docking clause shall apply.
8.2.2. Clause 9: Option 2 shall apply, and the time period for notice of Subprocessor changes shall be as agreed under this DPA.
8.2.3. Clause 11(a): The optional language shall not apply.
8.2.4. Clause 13 and Annex I.C.: The supervisory authority of the Republic of Ireland shall be the competent supervisory authority.
8.2.5. Clause 17: Option 1 shall apply, and the governing law shall be the laws of the Republic of Ireland.
8.2.6. Clause 18(b): Disputes shall be resolved by the courts of the Republic of Ireland.
8.2.7. Annex I: (a) the List of Parties shall be as set forth in the Services Agreement and any applicable order form, statement of work, change order or other document more fully describing the applicable Services; (b) the Descriptions of Transfer shall be as set forth in Exhibit B (Details of Processing); and (c) the Competent Supervisory Authority shall be as set forth above.
8.2.8. Annex II: the Technical and Organisational Measures shall be as set forth in Exhibit A (Technical and Organisational Measures), which are substantially the same for Strada and its Subprocessors.
8.2.9. Annex III: the List of Subprocessors shall be maintained in accordance with Section 2.10 (Subprocessors).
8.2.10. The Parties may supplement the Annexes to the SCCs in any order form, statement of work, change order or other document more fully describing the applicable Services, which shall be deemed incorporated herein by reference with respect to such Services. In the event of any conflict or inconsistency between this DPA or any such supplemental document, on the one hand, and the SCCs, on the other hand, the SCCs shall prevail to the extent required by Data Protection Laws. Notwithstanding anything to the contrary herein, in no event shall this DPA or any such supplemental document, directly or indirectly, prejudice the rights of data subjects under Data Protection Laws.
8.3. UK IDTA. If any transfer of Personal Data between Client and Strada requires execution of the UK IDTA in order to comply with Data Protection Laws, Client, as controller and data exporter, and Strada, as processor and data importer, hereby enter into (and incorporate herein by reference) the UK IDTA effective as of the commencement of such transfer. The UK IDTA shall be populated as follows:
8.3.1. Part 1, Table 1 (Parties): The parties shall be as set forth in the Services Agreement and any applicable order form, statement of work, change order or other document more fully describing the applicable Services.
8.3.2. Part 1, Table 2 (Selected SCCs, Modules and Selected Clauses): The UK IDTA shall be appended to the SCCs as set forth in Section 8.2 (SCCs).
8.3.3. Part 1, Table 3 (Appendix Information): The appendix information shall be as set forth in Section 8.2 (SCCs).
8.3.4. Part 1, Table 4 (Ending this Addendum when the Approved Addendum Changes): Neither Party may end the UK IDTA as set out in Section 19 thereof.
8.4. Swiss Data Protection Act. The SCCs, as set forth in Section 8.2 (SCCs), shall apply to any cross-border transfers of Personal Data governed by the Swiss Data Protection Act, with the following modifications:
8.4.1. Any references in the SCCs to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Data Protection Act, and any references in the SCCs to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss Data Protection Act.
8.4.2. Any references in the SCCs to “EU”, “Union”, “Member State” or “Member State law” shall be interpreted as references to Switzerland and the laws of Switzerland, as the case may be, and shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the SCCs. In furtherance of the foregoing, Clause 17 of the SCCs shall be modified to provide that the governing law shall be the laws of Switzerland.
8.4.3. Any references in the SCCs to “competent supervisory authority” or “competent courts” shall be interpreted as references to the Federal Data Protection and Information Commissioner of Switzerland (the “Swiss FDPIC”) and the courts of Switzerland, as the case may be. In furtherance of the foregoing, (a) Clause 13 and Annex I.C. of the SCCs shall be modified to provide that the Swiss FDPIC shall have authority over data transfers governed by the Swiss Data Protection Act (it being agreed that authority over data transfers not governed by the Swiss Data Protection Act shall be as otherwise set forth in this DPA) and (b) Clause 18(b) of the SCCs shall be modified to provide that disputes shall be resolved by the courts of Switzerland.
Section 9. Client Affiliates. The terms of this DPA shall apply equally to any Personal Data Processed by or on behalf of Strada for any Client affiliate. Client represents and warrants that it is and will at all relevant times remain duly and effectively authorized to enter into this DPA and perform all of its obligations hereunder on behalf of each such Client affiliate. Client shall at all times be liable for Client’s affiliates’ compliance with this DPA and all acts and omissions by Client’s affiliates receiving Services under the Services Agreement are deemed acts and omissions of Client.
Section 10. Client Obligations. If Client directs Strada to provide Personal Data to any Client vendor or other representative (other than Strada), Client shall be responsible for the acts and omissions of such vendor or other representative with respect thereto. Client shall be responsible for maintaining all rights (including the lawful legal basis), obtaining any licenses, authorizations, approvals and consents and providing all notices, in each case, required for Strada to Process Personal Data for the Purpose. Client remains responsible for ensuring that its retention, use, disclosure or other Processing of Personal Data complies with its policies and practices and the laws applicable thereto.
Section 11. Term; Effect of Termination. The term of this DPA shall begin on the effective date of the Services Agreement and shall continue for so long as the Services Agreement remains in effect or Strada or any of its Subprocessors retains any Personal Data. The rights and obligations of the Parties which, by their nature, should survive termination or expiration of this DPA, shall survive such termination or expiration.
Section 12. Miscellaneous.
12.1. Entire Agreement. This DPA shall be deemed incorporated into and a part of the Services Agreement. This DPA, together with the Services Agreement, constitutes the sole and entire agreement of the Parties with respect to the subject matter hereof and thereof, and supersedes all prior and contemporaneous understandings, agreements, representations and warranties, both written and oral, with respect to such subject matter. For the avoidance of doubt, all claims and liabilities arising from or related to this DPA shall be brought under and subject to the terms of the Services Agreement, including any provisions therein regarding indemnification, limitation of liability, dispute resolution, choice of law or choice of forum.
12.2. Severability. If any provision of this DPA, or the application thereof to any person, place or circumstance, shall be held by a court of competent jurisdiction to be invalid, void or unenforceable, the remainder of this DPA and such provision as applied to other persons, places or circumstances shall remain in full force and effect and such invalid, void or unenforceable provision shall be enforced to the fullest extent permitted by law.
12.3. Amendment; Waiver. The Parties agree to take such reasonable actions as are necessary to amend this DPA from time to time as is necessary for the Parties to comply with Data Protection Laws. This DPA may not be amended or otherwise modified unless such amendment or modification is set forth in writing, identified as amendment or modification of this DPA and signed by an authorized representative of each of the Parties. No provision of this DPA may be waived unless such waiver is set forth in writing, identified as a waiver of this DPA and signed by an authorized representative of the waiving Party. Except as otherwise provided in this DPA, no failure or delay by a Party in exercising any right under this DPA shall operate as a waiver thereof, nor shall any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right.
12.4. No Third Party Beneficiaries. This DPA shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns and nothing herein, express or implied, is intended to or shall confer upon any other person any legal or equitable right, benefit or remedy of any nature whatsoever under or by reason of this DPA.
12.5. Relationship of the Parties. The relationship between the Parties is that of independent contractors and this DPA will not establish any agency, partnership, joint venture, fiduciary, franchise or employment relationship between the Parties (or between one Party and a representatives of the other Party). Neither Party by virtue of this DPA shall have any right, power or authority, express or implied, to bind the other Party.
12.6. Force Majeure; Excused Performance. Notwithstanding anything to the contrary in this DPA, Strada shall not be liable for, nor be deemed to be in breach of this DPA as a result of, any failure to comply with its obligations hereunder or any other act or omission attributable to (a) any failure by Client to comply with its obligations hereunder or under Data Protection Laws, (b) any act or omission of any vendor or other representative of Client (other than Strada and its Subprocessors) or (c) any act of God or other act or circumstance beyond the reasonable control of Strada; provided that nothing in this Section shall limit or otherwise affect Strada’s obligation to execute its business continuity and disaster recovery program. Each of the Parties shall use commercially reasonable efforts to mitigate the effects of any of the foregoing circumstances.
12.7. Interpretation. Any ambiguity in this DPA shall be resolved in favor of a meaning that permits both Parties to comply with Data Protection Laws. Unless the express context otherwise requires, the words “hereof”, “herein”, “hereunder” and words of similar import refer to this DPA as a whole and not to any particular provision of this DPA, references to a specific section refer to the sections in this DPA unless otherwise expressly provided and the words “include”, “including” and words of similar import shall be deemed to be followed by the words “without limitation”. The captions or headings in this DPA are for convenience only and shall not be considered a part of or affect the construction or interpretation of any provision of this DPA.
12.9 Business Contact Information. Strada and Client may Process the other Party’s business contact information, which includes Personal Data such as an individual’s name and business e-mail address, to contact, identify or authenticate an individual in a professional or business capacity. This Processing is carried out as independent controllers whether they do business to deliver and receive the Services. Each of the Parties has implemented and follows appropriate technical and organizational measures to protect the other Party’s business contact information.
12.8. Notices. All notices under this DPA to Strada shall be sent to stradaclientcontracting@alight.com All notices under this DPA to Client shall be sent in accordance with the Services Agreement.
Exhibit A – Technical and Organisational Measures
1. Physical Security.
Strada maintains security controls for entry points, holding areas, telecommunications areas and cabling areas that contain information processing systems or media containing Personal Data. Security controls include:
• Access control and restriction by use of a defined security perimeter, appropriate security barriers, security cameras, entry controls and authentication controls, and maintenance of access logs for a period of time specified by law or policy;
• Where Strada ID cards are deployed, a requirement for all personnel, vendors, contractors and visitors to wear some form of visible identification to identify themselves as employees, contractors, vendors or visitors;
• A clear desk/clear screen policy;
• An automatic idle-lock for unattended equipment;
• A requirement for visitors to Strada’s premises to be escorted at all times; and
• Where technically feasible and commercially reasonable, cameras and CCTVs.
2. Business Continuity and Disaster Recovery.
Strada maintains the following business continuity controls and safeguards:
• Business continuity and disaster recovery program is based on generally accepted industry practices designed to reduce the effects of a significant disruption in Strada’s operations;
• Business continuity and disaster recovery programs are tested at least annually;
• Backups of Strada systems and software used in the delivery of Services are replicated to its disaster recovery facility so that recovery can take place when there is a disaster; and
• Data is replicated to its disaster recovery facility, providing a scheduled point in time backup of the data to ensure integrity.
3. Network Security Controls.
Strada maintains the following network security controls and safeguards:
• Defense-in-depth design with perimeter routers, network switches and firewall devices and default deny-all policy to protect internet presence;
• Least privilege and authenticated access for network users and equipment;
• Control of internet access by proxies;
• Two-factor authentication for remote access with a non-reusable password;
• Intrusion detection system to monitor and respond to potential intrusions;
• Real-time network event logging and investigation using a security information event management tool;
• Content filtering and website blocking using approved lists;
• Limitations on wireless access to the network;
• Policies and standards for wireless network devices;
• Prohibitions on bridging of wireless and other networks, including the corporate network; and
• Detection and disassociation of rogue wireless access points.
4. Platform Security Controls.
Strada maintains the following platform security controls and safeguards:
• Maintenance of configuration/hardening standards;
• Control of changes through an internal change control process;
• Prohibition on installing unauthorized hardware and software;
• Where technically feasible, automatic session timeouts after periods of inactivity;
• Removal of vendor-supplied defaults (accounts, passwords and roles) during installation;
• Removal of services and devices that are not required by valid business needs;
• Use of an anti-virus program with timely updates;
• Non-privileged account access on workstations and laptops;
• Full disk encryption on laptops;
• Development and test platforms will be segregated from operational platforms used in providing the Services;
• Development tools such as compilers, assemblers, editors and other general-purpose utilities within the production environment will not be permitted unless expressly required for the delivery of the Services, in which case access is restricted; and
• Software and hardware used in the delivery of the Services will be updated in line with industry standards, vendor support and security guidelines.
5. Application Security Controls.
Strada maintains the following application security controls and safeguards:
• Defense-in-depth with the use of n-tier architecture for separation and protection of data;
• A secure software development life cycle (SSDLC) for application development that includes training, development, testing and ongoing assessments;
• Documentation, review, testing and approval before changes are implemented into production;
• Identification, testing and remediation of application vulnerabilities and patches in a timely manner; and
• A prohibition on using production data in development and testing environments.
6. Data and Asset Management.
Strada maintains the following data and asset management security controls and safeguards:
• Technical, administrative and physical safeguards;
• Regular backups and storage of Personal Data;
• Encryption of Personal Data transmitted over public networks and on removable media;
• Use of a data loss prevention tool for end point data transfer activities involving social security numbers or other national identification numbers;
• Use of an inventory program to control the installation, ownership and movement of hardware, software and communications equipment;
• Encryption, sanitization, destruction, or purging of all physical media containing Personal Data leaving Strada’s custody to ensure that residual magnetic, optical, electrical or other representation of data has been deleted, and is not recoverable; and
• Logical separation of Personal Data of a Strada client from other Strada clients.
7. Access Control and Management.
Strada maintains the following access control and management security controls and safeguards:
• Monitoring and logging access and use of the Strada systems that contain Personal Data, including logging of access attempts to the Strada systems that contain Personal Data;
• Periodic review and validation of role-based access to Personal Data and prompt removal of unnecessary access;
• Unique logon ID and passwords;
• Strong passwords with minimum length, complexity and expiration requirements;
• Disabling access after a limited number of failed login attempts; and
• Rejection of previously used passwords.
8. Risk Management.
Strada maintains the following risk management controls and safeguards:
• An information security risk management system aligned to The Standard of Good Practice for Information Security (Information Security Forum);
• A cycle of risk assessments of critical assets, the frequency of which are dependent on the number of residual risks identified at each site;
• Risk analysis is documented using standardized risk assessment templates; and
• Risk management activities are established when risks are defined and agreed with the asset owners.
9. Vulnerability and Patch Management.
Strada takes the following measures designed to identify and mitigate vulnerabilities that threaten Strada’s ability to enforce the confidentiality, integrity, and availability of Personal Data:
• A vulnerability monitoring process that provides alerts or notifications of new fixes available, and the resulting timeframe for remediation;
• Regular scanning to identify and remediate vulnerabilities promptly;
• Classification of vulnerabilities based on severity to allow for remediation based on predetermined service level expectations; and
• Penetration tests on applicable Strada environments, including perimeter vulnerability testing, internal infrastructure vulnerability testing and application testing.
Exhibit B – Details of Processing
Processing Operations
The Processing operations to be carried out under this DPA are as follows: The Personal Data received on behalf of Client will be used for performing Services under the Services Agreement (e.g., payroll and other business process outsourcing services, software consulting and related activities) and may include:
• providing data processing software, equipment, and services through various tools, applications and vendors;
• application maintenance and configuration;
• data uploads and transfers;
• storing or recording Personal Data;
• preventing unauthorized access to or modification of Personal Data (and other non-Personal Data);
• programing, printing and assembling, reviewing, and modifying statements as directed by Client;
• communicating with data subjects in connection with services provided to Client; and
• providing reference materials as requested by Client.
The purpose of the processing operations above is to provide the Services in accordance with the Services Agreement.
Data Subjects
The Personal Data to be Processed by Strada on behalf of Client concern the following categories of data subjects: current, former and/or prospective employees, their relatives and family members and other representatives of Client and Client’s affiliates.
Categories of Personal Data to be Processed
The Personal Data processed by Strada comprise of the following categories: HR/Employee data: that may include: full name; maiden name; employee identification number; user name; picture; contact information (including home and work address, home and work telephone numbers, mobile telephone numbers, web address data, home and work email address); marital status; citizenship information; date of birth; gender; drivers’ license information; national and governmental identification information; financial information (including bank account, garnishments, loans, salary and account balances); benefit program information (including benefit elections, beneficiary information, claims information, benefit plan account numbers and balances, and date of retirement); payroll information; professional or employment information (including date of hire, employment status, job title, work and educational history, pay history, tax withholding information, performance records, leave information, travel information and date of termination); and such other personal data that may be transferred from (or on behalf of) Client to Strada for performing services for Client.
Related persons’ data: may include but not limited to: name, date of birth, gender and contact information of dependents or beneficiaries (including home address; home and work telephone numbers; mobile telephone numbers); and such other personal data that may be transferred from (or on behalf of) Client to Strada for performing services for Client.
Special categories of Personal Data
The Personal Data processed by Strada may include sensitive personal data including information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, health, genetic, biometrics or medical records, or/and criminal records.