Data Processing Agreement – December 2021
How does CHEQ help secure client’s information?
December 20 2021
The entity using the CHEQ Services under the Terms of Services available at [https://www.cheq.ai/Terms_and_Conditions] ("Customer") and CHEQ AI Technologies Ltd. (the "Service Provider"), are parties to the Agreement, as defined below, to which this Data Protection Addendum applies.
If Service Provider processes personal data, or if Service Provider has access to personal data in the course of its performance under the Agreement, Service Provider shall comply with the terms and conditions of this Data Protection Addendum ("Data Protection Addendum "). By signing this Data Protection Addendum, Service Provider shall qualify as the Data Processor and Service Provider, as such terms are defined under Data Protection Laws. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
All capitalized terms not defined in this Data Protection Addendum have the meanings set forth in the Agreement.t.
"Agreement" means the Terms of Service, as well as any order Form or other purchasing document between Customer and the Service Provider which involves Service Provider having access to or otherwise processing personal data; "Approved Jurisdiction" means a member state of the European Economic Area ("EEA"), or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm. "Breach Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
"Data Protection Laws" means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of personal data, including the California Consumer Privacy Act of 2018 ("CCPA"), Data Protection Directive 95/46/EC and the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR").
The terms "personal data", "process", "processing" and "Special Categories of Data" herein shall have the meaning ascribed to them in applicable Data Protection Laws.
3. DATA PROTECTION AND PRIVACY
If Service Provider has access to or otherwise processes personal data, then Service Provider shall:
only process the personal data in accordance with Customer's documented instructions and on its behalf, and in accordance with the Agreement and this Data Protection Addendum; take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and process, personal data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this Data Protection Addendum and any Data Protection Laws (or Service Provider’s own written binding policies are at least as restrictive as this Data Protection Addendum);
assist Customer as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the services provided by Service Provider) related to Service Provider’s processing of personal data; notify the Customer without undue delay, and no later than forty eight (48) hours, after becoming aware of a Breach Incident;
provide full, reasonable cooperation and assistance to Customer in: a) allowing data subjects to exercise their rights under the Data Protection Laws, b) including (without limitation) the right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or the right not to be subject to an automated individual decision making, or do not sell my data; c) ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
Ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of personal data, and with its prior consultation with the supervisory authority obligation (as applicable).
only process or use personal data on its systems or facilities to the extent necessary to perform its obligations under the Agreement;
as required under Data Protection Laws, maintain accurate written records of any and all the Processing activities of any personal data carried out under the Agreement (including the categories of Processing carried out and, where applicable, the transfers of personal data), and shall make such records available to the applicable supervisory authority on request;
make all reasonable efforts to ensure that personal data are accurate and up to date at all times while in its custody or under its control, to the extent Service Provider has the ability to do so; not lease, sell (including as defined in the CCPA) or otherwise distribute personal data;
promptly notify Customer of any investigation, litigation, arbitrated matter or other dispute relating to Service Provider’s information security or privacy practices as it relates to the processing of personal data; promptly notify Customer in writing and provide Customer an opportunity to intervene in any judicial or administrative process if Service Provider is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any personal data to any person other than Customer; upon termination of the Agreement, or upon Customer's written request at any time during the term of the Agreement, Service Provider shall cease to process any personal data received from Customer, and within a reasonable period will at the request of Customer: (1) return the personal data; or 2) securely and completely destroy or erase all personal data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Customer’s request, Service Provider shall certify to Customer that it has fully complied with this clause.
Service Provider may subcontract its obligations under this Data Protection Addendum to another person or entity ("Contractor(s)"), provided that Service Provider shall inform the Customer of any intended changes concerning the addition/replacement of other processors at least 30 days prior to such change, and the Customer may notify Service Provider that it objects to such change and terminate the Agreement by written notice to the Customer. Service Provider will execute a written agreement with such approved Contractor containing equivalent terms to this Data Protection Addendum. Service Provider shall have a written security policy that provides guidance to its Contractors to ensure the security, confidentiality and integrity of personal data and systems maintained or processed by Service Provider. Customer may require Service Provider to provide Customer with full details of the proposed Contractor’s involvement including but not limited to the identity of the Contractor, its data security record, the location of its processing facilities and a description of the access to personal data proposed. Service Provider shall be responsible for the acts or omissions of Contractors to the same extent it is responsible for its own actions or omissions under this Data Protection Addendum.
5. THE TRANSFER OF PERSONAL DATA
If the Service Provider is required to transfer personal data to a third country or an international organization under applicable laws, it shall inform the Customer of that legal requirement before processing; If, subject to Customer’s prior consent, Service Provider processes personal data from the EEA in a jurisdiction that is not an Approved Jurisdiction, Service Provider shall ensure that it has a legally approved mechanism in place to allow for the international data transfer. If Service Provider intends to rely on Standard Contractual Clauses, the following additional terms will apply to Service Provider and Service Provider’s Service Providers and/or affiliates (where subcontracting or performance is allowed by the Agreement): The Standard Contractual Clauses will apply. If such Standard Contractual Clauses are superseded by new or modified Standard Contractual Clauses, the new or modified Standard Contractual Clauses shall be deemed to be incorporated into this Data Protection Addendum. Service Provider will abide by the obligations set forth under the Standard Contractual Clauses for data importer and/or sub-processor as the case may be. If Service Provider subcontracts any processing of personal data (as allowed by the Agreement and Applicable Law), it will: a) Notify and obtain Customer’s advance written permission before proceeding; and b) Ensure that it has a legally approved mechanism in place to allow for the international data transfer, or that Contractors have entered into the Standard Contractual Clauses with Service Provider.
6. SECURITY STANDARDS
Service Provider shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect personal data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed; all other unlawful forms of processing; including (as appropriate): (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing to the extent that Service Provider processes Special Categories of Data, the security measures referred to in this Data Protection Addendum shall also include, at a minimum (i) routine risk assessments of Service Provider’s information security program, (ii) regular testing and monitoring to measure and confirm the effectiveness of the information security program’s key controls, systems, and procedures, and (iii) encryption of Special Categories of Data while “at rest” and during transmission (whether sent by e-mail, fax, or otherwise), and storage (including when stored on mobile devices, such as a portable computer, flash drive, PDA, or cellular telephone).
If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this Data Protection Addendum, and Service Provider will promptly begin complying with such Data Protection Laws. Any ambiguity in this Data Protection Addendum shall be resolved to permit Customer to comply with all Data Protection Laws. In the event and to the extent that the Data Protection Laws impose stricter obligations on the Service Provider than under this Data Protection Addendum, the Data Protection Laws shall prevail. If this Data Protection Addendum does not specifically address a particular data security or privacy standard or obligation, Service Provider will use appropriate, generally accepted practices to protect the confidentiality, security, privacy, integrity, availability, and accuracy of personal data. Service Provider agrees that, in the event of a breach of this Data Protection Addendum, neither Customer nor any relevant Customer's customer will have an adequate remedy in damages and therefore either Customer or an affected customer shall be entitled to seek injunctive or equitable relief to immediately cease or prevent the use or disclosure of personal data not contemplated by the Agreement and to enforce the terms of this Data Protection Addendum or ensure compliance with all Data Protection Laws. If Service Provider is unable to provide the level of protection as required herein, Service Provider shall immediately notify Customer and cease processing. Any non-compliance with the requirements herein shall be deemed a material breach of the Agreement and Customer shall have the right to terminate the Agreement immediately without penalty.
Customer, shall have the right to: (a) require from Service Provider all information necessary to, and (b) conduct its own audit and/or inspections of Service Provider (including its facilities or equipment involved in the processing of personal data) in order to: demonstrate compliance with the Data Protection Addendum. Such audit and/or inspection shall be conducted with reasonable advanced notice to Service Provider, and shall take place during normal business hours to reasonably limit any disruption to Service Provider’s business.
Appendix A - CHEQ Security Requirements
Service Provider shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect personal data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed; all other unlawful forms of processing; including (as appropriate):
(i) the pseudonymisation and encryption of personal data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processingsystems and services;
(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Service Provider will take the following security measures in addition to the above:
1. Physical Control Access /Physical Security. The Service Provider will take industry standard steps designed to prevent unauthorized persons from gaining access to Personal Data processing systemsby maintaining industry standard physical security controls at all Service Provider sites at which an information system that uses or houses Personal Data is located.
2. Logical/Data Access Control. The Service Provider will maintain appropriate access controls designed to prevent Personal Data processing systems from being used without proper authorization, including:
a) restricting access to Personal Data to only authorized Personnel who require such access in orderto perform the Services and providing the lowest level of access required in accordance with the “least privilege” approach and to the minimum number; and
b) implementing industry standard physical and electronic security measures to protect passwords or other access controls.
Further, Service Provider will:
a) Maintain user administration procedures: define user roles and their privileges; define how accessis granted, changed and terminated; address appropriate segregation of duties; and define the logging/monitoring requirements and mechanisms; and
b) Ensure that all employees of the Service Provider are assigned unique User-IDs.
3. Data Transfer Control/Network Security. The Service Provider will ensure that: (a) Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control). The Service Provider will maintain network security using industry standard equipment and industry standard techniques,including firewalls, intrusion detection and prevention systems, and routing protocols; (b) it utilizes industry standard anti-virus and malware protection software to protect Personal Data from anticipated threats or hazards and protect against unauthorized access to or use; and (c) it utilizes industry-standard encryption tools (not less than 128-bit key utilizing an encryption method approved by Company) and other secure technologies in connection with any and all Personal Data that Service Provider: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; or (iii) stores on portable devices, where technically feasible (including safeguarding the security and confidentiality of all encryption keys associated with encrypted Sensitive Personal Data).
4. Availability Control/Separation Control. The Service Provider will implement appropriate policies and procedures to ensure that: (a) it Processes Personal Data in accordance with Company’s instructions; (b) it Processes separately Personal Data collected for different purposes; and (c) Personal Data is protected against accidental destruction or loss.
5. Organizational Security. The Service Provider will maintain security policies and procedures to classify sensitive or confidential information, clarify security responsibilities and promote awareness for employees by, among other things: (a) maintaining adequate procedures regarding the use, archiving, or disposal of media containing Personal Data; and
(b) managing Security Incidents in accordance with appropriate incident response procedures. In addition:
i) Prior to providing access to Personal Data to Service Provider personnel, the Service Provider will require Service Provider personnel to comply with its Information Security Program.
ii) The Service Provider will maintain a security awareness program to train personnel about their security obligations. This program will include training about data classification obligations, physicalsecurity controls, security practices, and security incident reporting.
iii) The Service Provider will maintain procedures such that (A) when media are to be disposed of or reused, any subsequent retrieval of any Personal Data stored on them before they are withdrawn from the inventory will be prevented; and (B) when media are to leave the premises at which the files are located as a result of maintenance operations, any undue retrieval of Personal Information stored on them will be prevented.
6. Business Continuity. The Service Provider will maintain appropriate back-up, disaster recovery and business resumption plans, business continuity plan and risk assessment, and review and test these plans regularly to ensure that they are up to date and effective. Service Provider will maintainprocedures for reconstructing lost Personal Data in Service Provider’s possession or under Service Provider’s control, and correct, at Company’s request, any destruction, loss or alteration of any of Personal Data caused by Service Provider, or arising out of Service Provider’s breach of this Agreement.
7. Risk Assessments. Service Provider will conduct periodic risk assessments and reviews and, as appropriate, update its Information Security Program; provided that Service Provider will not modify its Information Security Program in a manner that would weaken or compromise the confidentiality, availability or integrity of Personal Data.