Data Processing Agreement
December 9 2022
December 9 2022
The security of our customer data is of utmost importance to us. We (“CHEQ” as such term is defined in the Order” or “We” or “Service Provider”), want to make the customer’s experience satisfying and safe. Because We secure and process certain types of information, we believe that our customers should fully understand the terms and conditions surrounding the processing of data through our Services. This Data Processing Agreement (the “DPA”) describes how We process and secure Personal Data (as defined below) and shall be subject to the Terms of Service. Any term used herein and not otherwise defined, shall have the meaning ascribed thereto in the Services Agreement.
1. SCOPE
The entity using the Services under the Services Agreement (“Customer”) and the Service Provider are parties to the Services Agreement to which this DPA applies. If Service Provider processes personal data, or if Service Provider has access to personal data in the course of its performance of Services under the Services Agreement, the parties shall comply with the terms and conditions of this DPA.
2. DEFINITIONS
All capitalized terms not defined in this DPA, shall have the meanings set forth in the SERVICES AGREEMENT.
“Approved Jurisdiction” means a member state of the European Economic Area (“EEA”), or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.
“CCPA” means the California Consumer Privacy Act of 2018.
“Controller” means Customer, within the meaning of article 4 (7) of the GDPR.
“Data Protection Laws” means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of personal data, including the GDPR and CCPA.
“Processor” means CHEQ, within the meaning of article 4 (8) of the GDPR.
“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Services Agreement” means the agreement entered between the Customer and the Service Provider.
“Standard Contractual Clauses” means the standard contractual clauses located at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en. If such Standard Contractual Clauses are superseded by new or modified Standard Contractual Clauses, the new or modified Standard Contractual Clauses shall be deemed to be incorporated into this DPA.
The terms “personal data”, “process”, “processing” and “Special Categories of Data” herein shall have the meaning ascribed to them in applicable Data Protection Laws.
3. DATA PROTECTION AND PRIVACY
If Service Provider has access to or otherwise processes personal data, then Service Provider shall:
3.1 only process the personal data in accordance with Customer’s documented instructions and on its behalf, and in accordance with the SERVICES AGREEMENT and this DPA.
3.2 take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and process, personal data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this DPA and any Data Protection Laws (or Service Provider’s own written binding policies are at least as restrictive as this DPA);
3.3 assist Customer as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the Services provided by Service Provider) related to Service Provider’s processing of personal data;
3.4 notify the Customer without undue delay, and no later than two (2) business days after becoming aware of a Security Incident;
3.5 provide full, reasonable cooperation and assistance to Customer in:
3.5.1 allowing data subjects to exercise their rights under the Data Protection Laws, including (without limitation) the right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or the right not to be subject to an automated individual decision making, or do not sell my data;
3.5.2 ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
3.5.3 Ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of personal data, and with its prior consultation with the supervisory authority obligation (as applicable).
3.6 only process or use personal data on its systems or facilities to the extent necessary to perform its obligations under the Services Agreement.
3.7 as required under Data Protection Laws, maintain accurate written records of any and all the processing activities of any personal data carried out under the SERVICES AGREEMENT (including the categories of processing carried out and, where applicable, the transfers of personal data), and shall make such records available to the applicable supervisory authority on request;
3.8 make all reasonable efforts to ensure that personal data are accurate and up to date at all times while in its custody or under its control, to the extent Service Provider has the ability to do so;
3.9 not lease, sell (including as defined in the CCPA) or otherwise distribute personal data;
3.10 promptly notify Customer of any investigation, litigation, arbitrated matter or other dispute relating to Service Provider’s information security or privacy practices as it relates to the processing of personal data, provided such notification is legally permissible.
3.11 promptly notify Customer in writing and provide Customer an opportunity to intervene in any judicial or administrative process if Service Provider is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any personal data to any person other than Customer, provided such notification is legally permissible.
3.12 upon termination of the SERVICES AGREEMENT, or upon Customer’s written request at any time during the Term of the SERVICES AGREEMENT, Service Provider shall cease to process any personal data received from Customer, and within a reasonable period will at the request of Customer: (1) return the personal data; or 2) securely and completely destroy or erase all personal data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Customer’s request, Service Provider shall certify to Customer that it has fully complied with this clause.
4. SUBPROCESSORS
4.1 Sub-Processors. Customer authorizes the Service Provider to subcontract the processing of Personal Data to third parties (the “Sub-Processors”). The Sub-Processors listed at https://cheq.ai/sub-processors/ as at the date of this Agreement (the “Sub-Processor List”) are approved by the Customer. Such Sub-Processor List shall be updated by the Service Provider upon any change in the identity of the Sub-Processors. You may review and present material and reasonable objections, if any, which objections must be provided to the Service Provider within 7 days from the update of the list of subcontractors. If you object to the use of a certain Sub-Processor (the “Applicable Sub-Processor”), for a legitimate reason and the parties cannot reach an amicable solution on how to proceed further, the Service provider may terminate the term of the SERVICES AGREEMENT.
4.2 The Service Provider shall ensure by way of a written contract that Sub-Processors are required to comply with data protection obligations, which are no less onerous than the obligations to which the Service Provider is subject pursuant to this DPA. The Service Provider will remain liable to Customer for any failure by a Sub-Processor to fulfil its obligations in relation to the Processing of personal data.
5. THE TRANSFER OF PERSONAL DATA
5.1 If the Service Provider is required to transfer personal data to a third country or an international organization under applicable laws, outside EEA in a jurisdiction that is not an Approved Jurisdiction, Service Provider shall ensure that it has a legally approved mechanism in place to allow for the international data transfer. If Service Provider intends to rely on Standard Contractual Clauses, the following additional terms will apply to Service Provider.
5.2 Service Provider will abide by the obligations set forth under the Standard Contractual Clauses for data importer and/or sub-processor as the case may be.
5.3 If Service Provider subcontracts any processing of personal data (as allowed by the SERVICES AGREEMENT and Applicable Law), it will:
5.3.1 Notify and obtain Customer’s advance written permission before proceeding; and
5.3.2 Ensure that it has a legally approved mechanism in place to allow for the international data transfer, or that the contractors have entered into the Standard Contractual Clauses with Service Provider.
6. SECURITY STANDARDS
6.1 Service Provider shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect personal data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed; all other unlawful forms of processing; including (as appropriate): (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
6.2 To the extent that Service Provider processes Special Categories of Data, the security measures referred to in this DPA shall also include, at a minimum (i) routine risk assessments of Service Provider’s information security program, (ii) regular testing and monitoring to measure and confirm the effectiveness of the information security program’s key controls, systems, and procedures, and (iii) encryption of Special Categories of Data while “at rest” and during transmission (whether sent by e-mail, fax, or otherwise), and storage (including when stored on mobile devices, such as a portable computer, flash drive, PDA, or cellular telephone).
6.3 At a minimum, Service Provider agrees to maintain the security measures detailed in Appendix A attached hereto.
7. GENERAL
7.1 If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA , and Service Provider will promptly begin complying with such Data Protection Laws.
7.2 Any ambiguity in this DPA shall be resolved to permit Customer to comply with all Data Protection Laws. In the event and to the extent that the Data Protection Laws impose stricter obligations on the Service Provider than under this DPA the Data Protection Laws shall prevail.
7.3 If this DPA does not specifically address a particular data security or privacy standard or obligation, Service Provider will use appropriate, generally accepted practices to protect the confidentiality, security, privacy, integrity, availability, and accuracy of personal data.
7.4 If Service Provider is unable to provide the level of protection as required herein, Service Provider shall immediately notify Customer and cease processing. Any non-compliance with the requirements herein shall be deemed a material breach of the SERVICES AGREEMENT and Customer shall have the right to terminate the SERVICES AGREEMENT immediately without penalty.
7.5 Compliance. Please feel free to direct any questions or concerns regarding this DPA or our treatment of Personal Data by contacting us as provided herein below. If you have any questions about this DPA, please feel free to contact us at: dataprivacy@cheq.ai; At request, CHEQ shall make available to the Customer all information necessary to demonstrate compliance with the applicable articles of the GDPR, including article 28 of the GDPR, and copies of our annual SOC 2 and ISO 27001 certificates. To the extent compliance cannot reasonably be demonstrated through the abovementioned information and certificates CHEQ makes available to Customer, CHEQ will allow for and contribute to audits conducted by the Customer or another auditor mandated by the Customer, all at the Customer’s own expense, upon reasonable advanced written notice and subject to confidentiality obligations.
7.1 Such audit shall be conducted no more frequently than once in any rolling twelve (12) month period.
7.2 To request an audit, Customer must submit to CHEQ ninety working days in advance of the proposed audit data (i) the name of the proposed auditor; (ii) a detailed proposed audit plan to CHEQ. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. CHEQ will review the name of the proposed auditor and the proposed audit plan, and may reasonably object where the requested audit could compromise CHEQ’s business conduct, security, privacy, employment or other relevant policies. In case of objection from CHEQ to the proposed auditor and/or audit plan, CHEQ and Customer agree to cooperate in good faith to find a mutually acceptable solution.
7.3 Such audit shall be limited to CHEQ’s Processing activities performed on behalf of Customer.
7.4 The approved auditor must be bound by a confidentiality agreement. CHEQ agrees to promptly notify Customer if CHEQ is unable to comply with this DPA for whatever reason. In such a case, Customer shall have the right to immediately suspend the Processing.
8. Retention of Personal Data. CHEQ shall delete or return all Personal Data, including existing copies, after the Term (as defined below) ends, unless relevant local law to which CHEQ is subject requires storage of the Personal Data. During the Term, CHEQ will retain Personal Data for a period of up to 3 months from the day such Personal Data had been uploaded to the Services, unless the Personal Data has to be kept for a longer period, such as in the context of legal obligations.
9. Term. The term of this Agreement shall be the term of the SERVICES AGREEMENT.
10. Governing Law & Jurisdiction. This Agreement is governed by the laws as stipulated in the SERVICES AGREEMENT with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the SERVICES AGREEMENT.
11. Interpretation. Any conflict between the provisions of the Order, the SERVICES AGREEMENT and this DPA, shall be resolved in the following order of precedence, listed sequentially from highest precedence to lowest: (1) this DPA (2) SERVICES AGREEMENT, and then (3) the Orde.
Last Updated: August, 2022
Service Provider shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect personal data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed; all other unlawful forms of processing; including (as appropriate):
(i) the pseudonymisation and encryption of personal data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Service Provider will take the following security measures in addition to the above:
1. Physical Control Access /Physical Security. The Service Provider will take industry standard steps designed to prevent unauthorized persons from gaining access to Personal Data processing systems by maintaining industry standard physical security controls at all Service Provider sites at which an information system that uses or houses Personal Data is located.
2. Logical/Data Access Control. The Service Provider will maintain appropriate access controls designed to prevent Personal Data processing systems from being used without proper authorization, including:
a) restricting access to Personal Data to only authorized Personnel who require such access in order to perform the Services and providing the lowest level of access required in accordance with the “least privilege” approach and to the minimum number; and
b) implementing industry standard physical and electronic security measures to protect passwords or other access controls.
Further, Service Provider will:
a) Maintain user administration procedures: define user roles and their privileges; define how access is granted, changed and terminated; address appropriate segregation of duties; and define the logging/monitoring requirements and mechanisms; and
b) Ensure that all employees of the Service Provider are assigned unique User-IDs.
3. Data Transfer Control/Network Security. The Service Provider will ensure that: (a) Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control). The Service Provider will maintain network security using industry standard equipment and industry standard techniques, including firewalls, intrusion detection and prevention systems, and routing protocols; (b) it utilizes industry standard anti-virus and malware protection software to protect Personal Data from anticipated threats or hazards and protect against unauthorized access to or use; and (c) it utilizes industry-standard encryption tools (not less than 128-bit key utilizing an encryption method approved by Company) and other secure technologies in connection with any and all Personal Data that Service Provider: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; or (iii) stores on portable devices, where technically feasible (including safeguarding the security and confidentiality of all encryption keys associated with encrypted Sensitive Personal Data).
4.Availability Control/Separation Control. The Service Provider will implement appropriate policies and procedures to ensure that: (a) it Processes Personal Data in accordance with Company’s instructions; (b) it Processes separately Personal Data collected for different purposes; and (c) Personal Data is protected against accidental destruction or loss.
5. Organizational Security. The Service Provider will maintain security policies and procedures to classify sensitive or confidential information, clarify security responsibilities and promote awareness for employees by, among other things: (a) maintaining adequate procedures regarding the use, archiving, or disposal of media containing Personal Data; and (b) managing Security Incidents in accordance with appropriate incident response procedures. In addition:
i) Prior to providing access to Personal Data to Service Provider personnel, the Service Provider will require Service Provider personnel to comply with its Information Security Program.
ii) The Service Provider will maintain a security awareness program to train personnel about their security obligations. This program will include training about data classification obligations, physical security controls, security practices, and security incident reporting.
iii) The Service Provider will maintain procedures such that (A) when media are to be disposed of or reused, any subsequent retrieval of any Personal Data stored on them before they are withdrawn from the inventory will be prevented; and (B) when media are to leave the premises at which the files are located as a result of maintenance operations, any undue retrieval of Personal Information stored on them will be prevented.
6. Business Continuity. The Service Provider will maintain appropriate back-up, disaster recovery and business resumption plans, business continuity plan and risk assessment, and review and test these plans regularly to ensure that they are up to date and effective. Service Provider will maintain procedures for reconstructing lost Personal Data in Service Provider’s possession or under Service Provider’s control, and correct, at Company’s request, any destruction, loss or alteration of any of Personal Data caused by Service Provider , or arising out of Service Provider’s breach of this Agreement.
7. Risk Assessments. Service Provider will conduct periodic risk assessments and reviews and, as appropriate, update its Information Security Program; provided that Service Provider will not modify its Information Security Program in a manner that would weaken or compromise the confidentiality, availability or integrity of Personal Data.
Subject matter and duration of the Processing of Personal Data
The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and this Addendum.
The nature and purpose of the Processing of Personal Data
Service Provider is engaged to provide Services to the Customer which involve the Processing of Personal Data. The scope of the Services is set out in the Agreement, and the Personal Data will be Processed by the Service Provider and Service Provider Affiliates to deliver those Services and to comply with the terms of the Agreement and this Addendum.
The types of Personal Data to be Processed
IP Address
The categories of Data Subject to whom the Personal Data relates
Visitors of Customer’s website
The obligations and rights of Service Provider and Service Provider Affiliates
The obligations and rights of Service Provider and Service Provider Affiliates are set out in the Agreement and this Addendum.
The Processing operations carried out in relation to the Personal Data
Collecting and recording the data, hosting the data, organizing the data, adapting or altering the data, and analyzing the data, in each case for the purposes of providing Services to Customer, the scope of which are set out in the Agreement.
Last Updated December 2022