CHEQ Data Processing Agreement
January 1 2024
January 1 2024
The security of our customer data is of utmost importance to us. We (“CHEQ” as such term is defined in the Order or “We” or “Service Provider”), want to make the Customer’s (as such term is defined below) experience satisfying and safe. Because We secure and process certain types of information, we believe that our customers should fully understand the terms and conditions surrounding the Processing of data through our Services. This Data Processing Agreement (the “DPA”) describes how We process and secure Personal Data (as defined below) and shall be subject to the Terms (as defined below). Any term used herein and not otherwise defined, shall have the meaning ascribed thereto in the Terms.
The Customer using the Services under the Terms and the Service Provider are parties to the Terms to which this DPA applies. If Service Provider Processes Personal Data, or if Service Provider has access to Personal Data during its performance of Services under the Terms, the parties shall comply with the terms and conditions of this DPA.
All capitalized terms not defined in this DPA, shall have the meanings set forth in the Terms.
“Approved Jurisdiction” means a member state of the European Economic Area (“EEA“), or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.
“CCPA” means the California Consumer Privacy Act of 2018.
“CPRA” means the California Privacy Rights Act of 2020.
“Controller” means Customer, within the meaning of article 4 (7) of the GDPR.
“Data Protection Laws” means any and/or all applicable domestic and foreign laws, rules, directives, and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of personal data, including the GDPR, the UK GDPR, CCPA and CPRA.
“Personal Data” shall have the meaning ascribed to it in the applicable Data Protection Laws.
“Process” or “Processing”shall have the meaning ascribed to it in the applicable Data Protection Laws.
“Processor” means CHEQ, within the meaning of article 4 (8) of the GDPR.
“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
“Special Categories of Data” shall have the meaning ascribed to it in the applicable Data Protection Laws.
“Standard Contractual Clauses” means the standard contractual clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. If such Standard Contractual Clauses are superseded by new or modified Standard Contractual Clauses, the new or modified Standard Contractual Clauses shall be deemed to be incorporated into this DPA.
“Terms” means the agreement entered between the Customer and the Service Provider with respect to the provision of the Services and the Order.
“UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
If Service Provider has access to, or otherwise Processes Personal Data, then Service Provider shall:
3.1 only Process the Personal Data in accordance with Customer’s documented instructions and on its behalf, and in accordance with the Terms and this DPA.
3.2 take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process, Personal Data; ensure persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this DPA and any Data Protection Laws (or Service Provider’s own written binding policies are at least as restrictive as this DPA).
3.3 assist Customer as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the Services provided by Service Provider) related to Service Provider’s Processing of Personal Data.
3.4 notify the Customer without undue delay, and no later than two (2) business days after becoming aware of a Security Incident.
3.5 provide full, reasonable cooperation and assistance to Customer in:
3.5.1 allowing data subjects to exercise their rights under the Data Protection Laws, including (without limitation) the right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the Processing, or the right not to be subject to an automated individual decision making, or do not sell my data.
3.5.2 ensuring compliance with any notification obligations of Personal Data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws.
3.5.3 Ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of Personal Data, and with its prior consultation with the supervisory authority obligation (as applicable).
3.6 only Process or use Personal Data on its systems or facilities to the extent necessary to perform its obligations under the Terms.
3.7 as required under Data Protection Laws, maintain accurate written records of all the Processing activities of any Personal Data carried out under the Terms (including the categories of Processing carried out and, where applicable, the transfers of Personal Data), and shall make such records available to the applicable supervisory authority on request.
3.8 make all reasonable efforts to ensure that Personal Data is accurate and up to date at all times while in its custody or under its control, to the extent Service Provider has the ability to do so.
3.9 not lease, sell (including as defined in the CCPA and CPRA) or otherwise distribute Personal Data.
3.10 promptly notify Customer of any investigation, litigation, arbitrated matter, or other dispute relating to Service Provider’s information security or privacy practices as it relates to the Processing of Personal Data, provided such notification is legally permissible.
3.11 promptly notify Customer in writing and provide Customer an opportunity to intervene in any judicial or administrative process if Service Provider is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Personal Data to any person other than Customer, provided such notification is legally permissible.
.
4.1 Sub-Processors. Customer authorizes the Service Provider to subcontract the Processing of Personal Data to third parties (the “Sub-Processors”). The Sub-Processors listed at https://cheq.ai/sub-processors/ as of at the date of this DPA (the “Sub-Processor List”) are approved by the Customer. Such Sub-Processor List shall be updated by the Service Provider upon any change in the identity of the Sub-Processors. Customer may subscribe to Service Provider’s emails at: https://cheq.status.page/subscription to be notified when Service Provider makes any changes to the Sub-Processor List. You may review and present material and reasonable objections, if any, which objections must be provided to the Service Provider within 7 days from the update of the list of Sub-Processors. If you object to the use of a certain Sub-Processor (the “Applicable Sub-Processor”), for a legitimate reason and the parties cannot reach an amicable solution on how to proceed further, the Service provider may terminate the Terms.
4.2 The Service Provider shall ensure by way of a written contract that Sub-Processors are required to comply with data protection obligations, which are no less onerous than the obligations to which the Service Provider is subject pursuant to this DPA. The Service Provider will remain liable to Customer for any failure by a Sub-Processor to fulfil its obligations in relation to the Processing of Personal Data.
5.1 Personal Data may be transferred from the EEA, Switzerland and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.
5.2 If the Processing of Personal Data by Processor includes a transfer (either directly or via onward
transfer):
5.2.1 from the EEA or Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the GDPR) outside the EEA or Switzerland (“EEA Transfer”), the terms set forth in Part 1 of Schedule 2 (EEA Cross Border Transfers) shall apply.
5.2.2 from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the UK GDPR) outside the EEA or UK (“UK Transfer”), the terms set forth in Part 2 of Schedule 2 (UK Cross Border Transfers) shall apply.
5.2.3 the terms set forth in Part 3 of Schedule 2 (Additional Safeguards) shall apply to an EEA Transfer and a UK Transfer.
6.1 Service Provider shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect Personal Data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to Personal Data transmitted, stored or otherwise Processed; all other unlawful forms of Processing; including (as appropriate): (i) the pseudonymization and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
6.2 To the extent that Service Provider processes Special Categories of Data, the security measures referred to in this DPA shall also include, at a minimum (i) routine risk assessments of Service Provider’s information security program, (ii) regular testing and monitoring to measure and confirm the effectiveness of the information security program’s key controls, systems, and procedures, and (iii) encryption of Special Categories of Data while “at rest” and during transmission (whether sent by e-mail, fax, or otherwise), and storage (including when stored on mobile devices, such as a portable computer, flash drive, PDA, or cellular telephone).
6.3 At a minimum, Service Provider agrees to maintain the security measures detailed in Appendix A attached hereto.
CHEQ shall delete all Personal Data (to the extent technically feasible) within one hundred and twenty (120) days after the Term (as defined below) ends unless applicable law to which CHEQ is subject requires storage of the Personal Data or as otherwise permitted or required under this DPA. If instructed in writing by Customer, prior to expiration or termination of the Services, we will return a copy of Personal Data within a reasonable period and in a reasonable format at the Customer’s expense. Personal Data which cannot be erased shall be anonymized. If anonymization is not feasible, such data shall be retained “beyond use” and erased (to the extent technically feasible) as soon as reasonably possible (e.g. during periodic purge or deletion processes). Notwithstanding the foregoing, Customer acknowledges that CHEQ shall have the right to process and retain Personal Data for the purpose of provision, operation and support of its Services and for the purpose of administrating the contractual relationship with the Customer, including but not limited for the purposes of billing, audit and recordkeeping, account management, technical support, security, protection against fraudulent or illegal activity, and for the purpose of exercising of and defense from legal claims. To the extent that any data processed for such purposes or under a legal obligation to which CHEQ is subject, is considered Personal Data, CHEQ shall be regarded as an independent Controller of such data and its processing shall be outside the scope of this DPA. Nothing here shall limit or restrict CHEQ ability to use anonymized and/or aggregated data for any purpose without limitation.
The term of this DPA shall be the term as set forth in the Terms.
9.1 If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and Service Provider will promptly begin complying with such Data Protection Laws.
9.2 Any ambiguity in this DPA shall be resolved to permit Customer to comply with all Data Protection Laws. In the event and to the extent that the Data Protection Laws impose stricter obligations on the Service Provider than under this DPA the Data Protection Laws shall prevail.
9.3 If this DPA does not specifically address a particular data security or privacy standard or obligation, Service Provider will use appropriate, generally accepted practices to protect the confidentiality, security, privacy, integrity, availability, and accuracy of Personal Data.
9.4 If Service Provider is unable to provide the level of protection as required herein, Service Provider shall immediately notify Customer and cease Processing. Any non-compliance with the requirements herein shall be deemed a material breach of the Terms and Customer shall have the right to terminate the Terms immediately without penalty.
9.5 Please feel free to direct any questions or concerns regarding this DPA or our treatment of Personal Data by contacting us as provided herein below. If you have any questions about this DPA, please feel free to contact us at: dataprivacy@cheq.ai; At request, CHEQ shall make available to the Customer all information necessary to demonstrate compliance with the applicable articles of the GDPR of the UK GDPR as applicable, including article 28 of the GDPR, and copies of our annual SOC 2 and ISO 27001 certificates.
9.6 To the extent compliance cannot reasonably be demonstrated through the abovementioned information and certificates CHEQ makes available to Customer, CHEQ will allow for and contribute to audits conducted by the Customer, or another auditor mandated by the Customer, all at the Customer’s own expense, upon reasonable advanced written notice and subject to confidentiality obligations. Such audit shall be conducted no more frequently than once in any rolling twelve (12) month period. To request an audit, Customer must submit to CHEQ ninety (90) working days in advance of the proposed audit data (i) the name of the proposed auditor; (ii) a detailed proposed audit plan to CHEQ. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. CHEQ will review the name of the proposed auditor and the proposed audit plan and may reasonably object where the requested audit could compromise CHEQ’s business conduct, security, privacy, employment, or other relevant policies. In case of objection from CHEQ to the proposed auditor and/or audit plan, CHEQ and Customer agree to cooperate in good faith to find a mutually acceptable solution. Such audit shall be limited to CHEQ’s Processing activities performed on behalf of Customer. The approved auditor must be bound by a confidentiality agreement. CHEQ agrees to promptly notify Customer if CHEQ is unable to comply with this DPA for whatever reason. In such a case, Customer shall have the right to immediately suspend the Processing.
This DPA is governed by the laws as stipulated in the Terms with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms.
Any conflict between the provisions of the Order, the Terms, and this DPA, shall be resolved in the following order of precedence, listed sequentially from highest precedence to lowest: (1) this DPA (2) Terms, and then (3) the Order.
Last Updated: January 1, 2024.
Appendix A – CHEQ Security Requirements
See available at: https://cheq.ai/appendix-a-cheq-security-requirements/
Appendix B: DETAILS OF PROCESSING
Subject matter and duration of the Processing of Personal Data
The subject matter and duration of the Processing of the Personal Data are set out in the DPA and this
Addendum.
The nature and purpose of the Processing of Personal Data
Service Provider is engaged to provide Services to the Customer which involve the Processing of Personal Data. The scope of the Services is set out in the Terms, and the Personal Data will be Processed by the Service Provider and Service Provider Affiliates to deliver those Services and to comply with the terms of the Terms and this DPA.
The types of Personal Data to be Processed
CHEQ
IP Address.
If using as part of the CHEQ services, the lead protection feature, or Privacy DSAR feature, if the Customer chooses to integrate and apply, then also email addresses, and phone numbers.
Ensighten Services
Personal Information as configured by the Customer through the Service from time to time.
The categories of Data Subject to whom the Personal Data relates (insert description)
Visitors of Customer’s website
The obligations and rights of Service Provider and Service Provider Affiliates
The obligations and rights of Service Provider and Service Provider Affiliates are set out in the Terms
and this DPA.
The Processing operations carried out in relation to the Personal Data
Collecting and recording the data, hosting the data, organising the data, adapting, or altering the data, and analyzing the data, in each case for the purposes of providing Services to Customer, the scope of which are set out in the Terms.
SCHEDULE 2 – CROSS BORDER TRANSFERS
PART 1 – EEA Transfers
PART 2 – UK Transfers
Background:
Interpretation:
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | The United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. |
UK | The United Kingdom of Great Britain and Northern Ireland |
4.This Part 2 shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR.
5. This Part 2 shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
6. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this DPA has been entered into.
7. In the event of a conflict or inconsistency between this Part 2 and the provisions of the Standard Contractual Clauses or other related agreements between the Parties, existing at the time the DPA is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
8. This Part 2 incorporates the Standard Contractual Clauses which are deemed to be amended to the extent necessary so they operate:
a. for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and
b. to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR
Laws.
9. The amendments required by Section 8 above, include (without limitation):
a. References to the “Clauses” means this Part 2 as it incorporates the Standard Contractual Clauses
b. Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Appendix B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”
c. References to “Regulation (EU) 2016/679” or “that Regulation”are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.
d. References to Regulation (EU) 2018/1725 are removed.
e. References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”
f. Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Information Commissioner;
g. Clause 17 is replaced to state “These Clauses are governed by the laws of England and Wales”.
h. Clause 18 is replaced to state:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
i. The footnotes to the Clauses do not form part of this Part 2.
10. The Parties may agree to change Clause 17 and/or 18 to refer to the laws and/or courts of Scotland or Northern Ireland.
11. The Parties may amend this Part 2 provided it maintains the appropriate safeguards required by Art 46 UK GDPR for the relevant transfer by incorporating the Standard Contractual Clauses and making changes to them in accordance with Section 8 above.
12. The Parties may give force to this Part 2 (incorporating the Standard Contractual Clauses) in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in the Contractual Clauses.
PART 3 – Additional Safeguards
Data Processing Agreement – December 2023
Data Processing Agreement – December 2022
Data Processing Agreement – August 2022