Data Processing Addendum
Last Revised: June 15, 2020
- Definitions. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- “Affiliate(s)” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership of either Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- “Applicable Laws” means any applicable law, including Data Protection Laws, to which Data Processor is subject with respect to any Personal Data;
- “Data Protection Laws” means the GDPR, as transposed into domestic legislation of each Member State of the European Economic Area and in each case as amended, replaced or superseded from time to time, and if applicable the Israeli privacy laws.
- “EEA” means the European Economic Area;
- “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) (an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person), which is Processed by Data Processor or any of Data Processor’s Sub-processors on behalf of Data Controller as part of the performance of the Services under the Services Agreement, all to the extent that such data is subject to the GDPR;
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data laid down by the European Commission, as updated, amended, replaced or superseded from time to time by the European Commission;
- “Sub-processor” means any third party (but excluding an employee of Data Processor) appointed by or on behalf of Data Processor to Process Personal Data for the benefit of Data Controller as part of the performance of the services under the Services Agreement;
- “Supervisory Authority” means (a) an independent public authority which is established by a Member State of the European Economic Area pursuant to Article 51 of the GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws; and
- “Term” shall have the meaning ascribed to it under Section 12 below.
- Processing of Personal Data.
- Data Processor, and any person acting under its authority, will carry out the Personal Data Processing activities, including with regard to transfers of Personal Data to a third country or an international organisation, only for the following purposes: (i) to provide the Services during the Term in accordance with the Services Agreement and other reasonable documented instructions provided by the Data Controller, where such instructions are consistent with the terms of the Services Agreement (collectively, the “Instructions”); and (ii) as required under Applicable Law, in which case Data Processor shall, to the extent permitted by Applicable Law, inform Data Controller of such legally required Processing of Personal Data, unless that law prohibits such information on important grounds of public interest.
- Data Controller instructs Data Processor (and authorises Data Processor to instruct each of its Sub-processors) to process the Personal Data, as reasonably necessary for the provision of the Services and in accordance with the Services Agreement and this DPA. Additional Instructions outside the scope of this DPA and the Services Agreement require prior written agreement between Data Controller and Data Processor and will include any additional fees that may be payable by the Data Controller to the Data Processor for carrying out such Instructions.
- Data Processor will notify Data Controller if Data Processor is of the opinion that a written Instruction received from Data Controller is in violation of Applicable Law and/or in violation of contractual duties under the Services Agreement.
- Data Processor shall treat Personal Data as confidential information and will not disclose, make available or transfer the Personal Data to any third party, other than as permitted under this DPA.
- Data Controller shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which Data Controller acquired the Personal Data. Data Controller warrants and undertakes that the Personal Data has been collected, Processed and transferred in accordance with the laws applicable to Data Controller, including, if required by applicable law, that Data Controller has received all required consents from the applicable Data Subjects for the Processing carried out by the Data Processor under this DPA and the Data Subjects have been informed that their Personal Data could be transmitted to a third country outside of the EU/EEA.
- Exhibit 1 of this DPA sets forth certain information regarding Data Processor’s Processing activities of the Personal Data, as required by Article 28(3) of the GDPR.
- Data Subjects.
- Data Processor shall promptly notify Data Controller if Data Processor receives a request from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws, including without limitation the right of access, rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”), and shall not respond to such request without Data Controller’s prior written consent, except to confirm that such request relates to Data Controller.
- Taking into account the nature of the Processing, Data Processor has implemented in the Services certain technical and organisational measures to assist the Data Controller in independently fulfilling its obligation to respond to Data Subject Requests. However, due to technical limitations and the nature of the Services, not all Personal Data may be retrieved, accessed, amended, ported or restricted. Notwithstanding, all Personal Data is automatically deleted in regular 30 day intervals (or as otherwise set by the Data Controller) and may also be deleted at any time by the Data Controller, at its sole discretion. To the extent that Data Controller, while using the Services, does not have the ability to address a Data Subject Request, Data Processor shall, upon Data Controller’s request, make commercially reasonable efforts to assist Data Controller in responding to such Data Subject Request, to the extent Data Processor is technically capable to do so.
- Supervising Authorities. Data Processor shall provide reasonable assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities, as required by article 35 and 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to the Processing of Personal Data by Data Processor and all by taking into account the nature of the Processing and information available to the Data Processor. Data Controller acknowledges and agrees that assistance with data protection impact assessments and prior consultations by Data Processor may result in additional fees (which will be notified to Data Controller in advance).
- Security Breach Notification.
- Data Processor shall notify Data Controller without undue delay, and in any case within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting the Personal Data.
- Data Processor shall provide Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Supervising Authorities and Data Subjects of the Personal Data Breach under the Data Protection Laws, taking into account the nature of Processing and the information available to Data Processor, including with the following information: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of both Data Subjects and Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; and (c) a description of the measures taken, or proposed to be taken, to address the Personal Data Breach, including measures to mitigate its possible adverse effects. To the extent Data Processor does not have full information about the Personal Data Breach at the time of the initial notification, Data Processor shall provide an initial notification and then supplement that with additional information as it becomes available.
- During the Term, Data Processor shall keep records of its Processing activities in accordance with applicable Data Protection Laws.
- During the Term and upon request, Data Processor shall make available to Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Data Controller or another auditor mandated by Data Controller, all at Data Controller’s sole expense and only in order to ensure Data Processor’s compliance with the obligations laid down in Article 28 of the GDPR and this DPA. If and to the extent Data Controller engages third parties to conduct the audit, such third parties must be bound to strict confidentiality obligations. Notwithstanding the above, Data Controller shall only be entitled to conduct such inspection during business hours and no more than once during one calendar year, provided that Data Controller shall be entitled to conduct such inspection at any time if it reasonably suspects Data Processor to be in material breach of its obligations under this DPA and that nothing in this Section shall limit the timing and scope of any audit required to be conducted by applicable Data Protection Laws.
- Data Controller shall provide Data Processor a reasonable prior written notice of any audit or inspection to be conducted under this Section and shall avoid (and ensure that each of its auditors avoids) causing any damage, injury or disruption to Data Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such audit or inspection.
- It is agreed that a copy of this DPA may be forwarded to the relevant Supervisory Authority, if required under applicable Data Protection Laws. Furthermore, the Parties agree that such authority has the right to conduct an audit of the Parties with respect to the subject matter of this DPA.
- Nothing in this DPA will require Data Processor either to disclose to Data Controller (and/or its authorized auditors), or provide access to: (i) any data of any other customer of Data Processor; (ii) Data Processor’s internal accounting or financial information; (iii) any trade secret of Data Processor; or (iv) any information that, in Data Processor’s sole discretion, could compromise the security of any of Data Processor’s systems or premises or cause Data Processor to breach obligations under any Applicable Law or its obligations to any third party.
- Data Controller hereby (i) grants Data Processor a general authorization to engage (and permits each Sub-processor appointed in accordance with this Section to engage) Sub-processors for the purpose of providing the Services; (ii) agrees that Affiliates of Data Processor (including without limitation Testim Computerized Verifications Ltd.) may be used as Sub-processors; and (iii) confirms that Data Processor may continue to use those Sub-processors already engaged by Data Processor as of the Effective Date of this DPA, which are detailed in the Company’s dedicated webpage at https://www.testim.io/sub-processors (“Existing Sub-processors”).
- Data Processor can at any time and without justification appoint a new Sub-processor, provided that prior to engaging any Sub-processor:
- (a) Data Processor will provide a fourteen (14) days’ prior notice to Data Controller regarding the engagement of a new Sub-processor, and the Data Controller does not reasonably object to such changes within that timeframe under legitimate and documented grounds. If, in Data Processor’s sole discretion, Data Controller’s objection to an engagement of a Sub-processor is legitimate, Data Processor shall either refrain from using such Sub-processor in the context of the Processing of Personal Data, or shall notify Data Controller that it is unable to provide the Services without the use of such Sub-processor and that therefore it will suspend or restrict the Services (or applicable part thereof) with immediate effect.
- (b) Data Processor ensures that it has in place a sub-processing agreement between Data Processor and the Sub-processor, that is no less protective with respect to Data Controller’s interest and protection of Personal Data than this DPA. Upon Data Controller’s request, Data Processor shall provide Data Controller with an updated list of Sub-processors.
- Where the Sub-processor fails to fulfil its personal data protection obligations with respect to the Personal Data, Data Processor shall remain fully liable to Data Controller for the performance of that Sub-processor’s obligations.
- Transfers. The Data Processor warrants that where Personal Data is transferred outside of the EEA, it will be processed in accordance with the provisions of the Standard Contractual Clauses or Binding Corporate Rules, unless the processing takes place: (i) in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) by an organisation located in a country which has other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield.
- Personnel. Data Processor will be responsible for using qualified personnel with data protection training to provide the Services and ensure that Data Processor’s access to the Personal Data is limited only to those personnel who require such access to perform the Services. Data Processor shall obligate its personnel to Process the relevant Personal Data only in accordance with this DPA. Data Processor will further ensure that its personnel authorised to Process the Personal Data on its behalf: (i) will do so only on a need-to-know basis; and (ii) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that they will keep confidential and will not make available any Personal Data to any third party, other than as permitted herein.
- Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor will implement technical and organizational security measures in order to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR, as stipulated in Exhibit 2 of this DPA. The technical and organizational security measures are aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of Processing. The technical and organizational security measures are subject to technical progress and development and the Data Processor may update or modify technical and organizational security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.
- Deletion and Return of Personal Data. Upon termination of the Services Agreement and/or this DPA, Data Processor will delete or return to Data Controller, and instruct its Sub-processors to delete or return, all existing copies of the Personal Data which are in its possession. Data Processor may retain the Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
- Term. This DPA shall become effective upon execution or acceptance of the Services Agreement (“Effective Date”) and shall remain in full force until the later of the date when Data Processor ceases to Process the Personal Data or termination of the Services Agreement (the “Term”). All provisions of this DPA, which by their language or nature should survive the termination of this DPA, will survive the termination of this DPA.
- Limitation of Liability. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Services Agreement governing the Services.
- Changes to this DPA. The Parties may amend this DPA from time to time by mutual agreement of both Parties, and subject to compliance with any required obligations under applicable Data Protection Laws.
- Miscellaneous. (i) This DPA represents the complete agreement concerning the subject matter hereof; (ii) except where explicitly agreed otherwise in writing by the Parties, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Services Agreement and any other agreements which may be entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail; (iii) the Parties to this DPA hereby agree to the governing law and the choice of jurisdiction stipulated in the Services Agreement with respect to any disputes or claims arising under this DPA; (iv) nothing in this DPA reduces either Party’s obligations under the Services Agreement in relation to the protection of Personal Data; and (v) should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
CUSTOMER HAS READ AND UNDERSTOOD THIS DPA AND AGREES TO BE BOUND BY ALL OF ITS TERMS AND CONDITIONS.
DETAILS OF PROCESSING OF PERSONAL DATA
- Subject matter of the Processing: The subject matter of the Processing of the Personal Data are as set forth in the Services Agreement, as supplemented by this DPA.
- Duration: As between Testim and Customer, the duration of the data processing activities under this DPA is determined by the Customer.
- The purpose of the Processing: The purpose of the data processing under this DPA is the provision of the Service, as set forth in the Services Agreement.
- Nature of the Processing: Quality assurance, software testing and such other Services as set forth in the Services Agreement.
- Type of Personal Data: Personal Data uploaded to the Services under Customer’s accounts in Testim’s Services.
- Categories of data subjects: The Data Subjects may include Customer’s customers, employees, suppliers and end-users or any other type of data subject set forth in the Services Agreement.
TECHNICAL AND ORGANIZATIONAL MEASURES
Description of the technical and organizational security measures implemented by Data Processor according to Section 10 of the DPA:
Testim complies with the AICPA SOC 2 Type 2 – SOC for Service Organizations: Trust Services Criteria, based on an audit performed between June-August 2019. The examined controls in place include the following list of controls (full SOC 2 Type 2 Report is available for review upon request):
- Control Environment
- Risk Assessment
- Risk Mitigation
- Information and Communication
- Access Control, User and Permissions Management
- Recertification of Access Permissions
- Revocation Process
- Production Environment Logical Access
- Physical Access and Visitors
- Software Development Lifecycle
- Infrastructure Change Management
- Production Environment
- Network Infrastructure
- Production Monitoring
- Data Center Security
- Infrastructure Security
- Application Security
- Operational Security
- Human Resource Security
- Data Encryption
- Availability Procedures and Disaster Recovery
- Confidentiality Procedures