InStride Data Processing Addendum (the “Addendum”)
Effective Starting: September 28, 2022
This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Customer Agreement made between Attainment Hold Co. d/b/a Instride (“Instride”) and Company for the provision of the Instride Services (the “Agreement”). This DPA reflects the parties’ agreement with respect to the Processing of Customer’s Personal Information in accordance with the requirements of applicable Data Privacy Laws. To the extent the terms and conditions of this DPA are inconsistent with the Agreement or applicable Order Form, this DPA shall control as it relates to the Processing of Personal Information. References to the Agreement will be construed as including this DPA. This DPA shall be effective on the effective date of the Agreement or if the Agreement was effective prior to the publishing of this version of the DPA then the Effective Starting date published above for this DPA (provided that Customer has an Agreement in place already) (“Effective Date”). Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement.
Definitions. For purposes of this Addendum:
- “Data Privacy Laws” means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Information, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, when effective, the California Privacy Rights Act amendments (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); and the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”). For the avoidance of doubt, if InStride’s Processing activities involving Personal Information are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum.
- “Data Subject” means an identified or identifiable natural person about whom Personal Information relates.
- “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council located http://data.europa.eu/eli/dec_impl/2021/914/oj., and completed as set forth in Section 7 below.
- “Personal Information” has the same meaning as defined in the Agreement.
- “Process” and “Processing” mean any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information.
- Scope and Purposes of Processing
- The scope, nature, purposes, and duration of the processing, the types of Personal Information Processed, and the Data Subjects concerned are set forth in this Addendum, including its Schedule A. The details provided in Schedule A are deemed to satisfy any requirement to provide some or all of such details under any Data Privacy Law.
- InStride will Process Personal Information solely: (1) to fulfill its obligations to Company under the Agreement, including this Addendum; (2) on Company’s behalf; and (3) in compliance with Data Privacy Laws. Instride will not “sell” Personal Information (as such term in quotation marks is defined in applicable Data Privacy Laws), “share” or Process Personal Information for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable Data Privacy Laws), or otherwise Process Personal Information for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Company.
- InStride will not attempt to link, identify, or otherwise create a relationship between Personal Information and non-Personal Information or any other data without the express authorization of Company.
- Personal Information Processing Requirements.
- Ensure that the persons it authorizes to Process the Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Provide the same level of protection for Personal Information as is required under the Data Privacy Laws applicable to Company.
- Upon written request of Company, assist Company in the fulfillment of Company’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Information), at Company’s reasonable expense.
- Promptly notify Company of (i) any third-party or Data Subject complaints regarding the Processing of Personal Information; or (ii) any government or Data Subject requests for access to or information about InStride’s Processing of Personal Information on Company’s behalf, unless prohibited by Data Privacy Laws. InStride will provide Company with reasonable cooperation and assistance in relation to any such request. If InStride is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Company, InStride shall inform Company that it can no longer comply with Company’s instructions under this Addendum without providing more details and await Company’s further instructions. InStride shall use all available legal mechanisms to challenge any demands for data access through national security process that it receives, as well as any non-disclosure provisions attached thereto.
- Provide reasonable assistance to and cooperation with Company for Company’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Information, when required by applicable Data Privacy Laws, and at Company’s reasonable expense.
- Provide reasonable assistance to and cooperation with Company for Company’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Information, including complying with any obligation applicable to InStride under Data Privacy Laws to consult with a regulatory authority in relation to InStride’s Processing or proposed Processing of Personal Information.
- InStride certifies that it understands its obligations under this Addendum (including without limitation the restrictions under Sections 2 and 3 and that it will comply with them.
- Data Security. InStride will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Information, as set forth in Schedule B.
- Security Breach.
InStride will notify Company promptly and without undue delay of any known
Security Breach and will assist Company in Company’s compliance with its
Security Breach-related obligations, including without limitation, by:
- Taking steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Information was involved; and
- Providing Company with the following information, to the extent known:
- The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Information records concerned.
- The likely consequences of the Security Breach; and
- Measures taken or proposed to be taken by InStride to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Company acknowledges and agrees that InStride may use InStride affiliates and other subcontractors to Process Personal Information in accordance with the provisions within this Addendum and Data Privacy Laws. Where InStride sub-contracts any of its rights or obligations concerning Personal Information, including to any affiliate, InStride will take steps to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Information consistent with applicable Data Privacy Laws.
- InStride will provide a current list of InStride’s subcontractors upon Company’s request, and Company hereby consents to InStride’s use of such subcontractors. InStride will maintain an up-to-date list of its subcontractors, and it will provide Company with notice of any new subcontractor added to the list. In the event Company objects to a new subcontractor, InStride will use reasonable efforts to make available to Company a change in the services or recommend a commercially reasonable change to, Company’s use of the services to avoid Processing of Personal Information by the objected-to subcontractor without unreasonably burdening the Company. Company may, in its sole discretion, terminate the Agreement at any time and without prior notice in the event that it objects to a subcontractor and InStride is unable to change the services to satisfy Company.
- Data Transfers.
- InStride will not engage in any cross-border Processing of Personal Information, or transmit, directly or indirectly, any Personal Information to any country outside of the country from which such Personal Information was collected, without complying with applicable Data Privacy Laws. Where InStride engages in an onward transfer of Personal Information, InStride shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Information from one country to another.
- To the extent legally required, by signing this Addendum, Company and
InStride are deemed to have signed the EU SCCs, which form part of this
Addendum and (except as described in Section 7(c) and (d) below) will be
deemed completed as follows:
- Module 2 of the EU SCCs applies to transfers of Personal Information from Company (as a controller) to InStride (as a processor);
- Clause 7 (the optional docking clause) is included;
- Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth as indicated in Section 6(b) of this Addendum and InStride shall update that list and provide a notice to Company in advance of any intended additions or replacements of sub-processors as provided in Section 6.
- Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
- Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;
- Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
- Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A of this Addendum;
- Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
- Annex II (Technical and organizational measures) is completed with Schedule B of this Addendum; and
- Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9.
- With respect to Personal Information transferred from the United Kingdom
for which United Kingdom law (and not the law in any European Economic
Area jurisdiction or Switzerland) governs the international nature of
the transfer, the International Data Transfer Addendum to the EU
Commission Standard Contractual Clauses (available as of the Effective
https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (“UK SCCs”) forms part of this Addendum and takes precedence over the
rest of this Addendum as set forth in the UK SCCs. Undefined capitalized
terms used in this provision shall mean the definitions in the UK SCCs.
For purposes of the UK SCCs, they shall be deemed completed as follows:
- Table 1 of the UK SCCs:
- The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer.
- The Key Contacts shall be the contacts set forth in Schedule A.
- Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.
- Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Schedules A and B below.
- Table 4 of the UK SCCs: Either Party may end this Addendum as set out in Section 19 of the UK SCCs.
- By entering into this Addendum, the Parties are deemed to be signing the UK SCCs.
- Table 1 of the UK SCCs:
- For transfers of Personal Information that are subject to the FADP, the EU SCCs form part of this Addendum as set forth in Section 7(b) of this Addendum, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
- Additional Safeguards for the Transfer and Processing of Personal
Information from the EEA, Switzerland, and the United Kingdom. To the
extent that InStride Processes Personal Information of Data Subjects
located in or subject to the applicable Data Privacy Laws of the EEA,
Switzerland, or the United Kingdom, InStride agrees to the following
safeguards to protect such data to an equivalent level as applicable
Data Privacy Laws:
- InStride and Company shall encrypt all transfers of the Personal Information between them, and InStride shall encrypt any onward transfers it makes of such Personal Information, to prevent the acquisition of such data by third parties.
- InStride represents and warrants that:
- as of the date of this Addendum, it has not received any directive under Section 702 of the U.S. Foreign Intelligence Surveillance Act, codified at 50 U.S.C. § 1881a (“FISA Section 702”).
- no court has found InStride to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
- it is not the type of provider that is eligible to be subject to Upstream collection (“bulk” collection) pursuant to FISA Section 702.
- InStride will use all reasonably available legal mechanisms to challenge any demands for Personal Information access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Upon Company’s request, InStride shall provide a transparency report indicating the types of binding legal demands for the Personal Information it has received, including national security orders and directives.
- InStride will promptly notify Company if InStride can no longer comply with the applicable clauses in this Section. InStride shall not be required to provide Company with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Company to terminate the Agreement (or, at Company’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This is without prejudice to Company’s other rights and remedies with respect to a breach of the Agreement.
- Audits InStride will make available to Company all reasonable information necessary to demonstrate compliance with this Addendum and will allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company, provided that, such audit shall occur nor more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent InStride’s personnel are required to cooperate thereupon, during InStride’s normal business hours.
- Return or Destruction of Personal Information Except to the extent required otherwise by Data Privacy Laws, InStride will, at the choice of Company and per Company’s written request, return to Company and/or securely destroy all Personal Information. Except to the extent prohibited by Data Privacy Laws, InStride will inform Company if it is not able to return or delete the Personal Information.
- Survival The provisions of this Addendum survive the termination or expiration of the Agreement for so long as InStride or its subcontractors Process the Personal Information.
ANNEX IA. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
Data exporter(s): Company
Name: … As provided in the Agreement
Address: … As provided in the Agreement
Contact person’s name, position and contact details: … As provided in the Agreement
Activities relevant to the data transferred under these Clauses: The processing activities as described in the Agreement and any relevant Statements of Work.
Signature and date: … As provided in the Agreement and this DPA
Role (controller/processor): Controller
Data exporter(s): InStride
Address: 700 S. Flower St., Suite 1800, Los Angeles, CA 90017
Contact person’s name, position and contact details: [email protected]
Activities relevant to the data transferred under these Clauses: The processing activities as described in the Agreement and any relevant Statements of Work
Signature and date: … As provided in the Agreement and this DPA
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
Categories of data subjects whose personal data is transferred:
Company’s employees and/or employee’s family members or dependents.
Categories of personal data transferred:
- Basic contact details (e.g., name, email, phone number, address)
- Device and usage information (e.g., IP address, unique device identifiers, service usage data)
- Demographic and interests data (e.g., information about a person’s age, preferences, hobbies, likely income bracket, advertising segments)
- Financial data (e.g., financial account information)
- Government identifiers (e.g., SSN, driver’s license, passport)
- Precise geo-location information (e.g., GPS coordinates)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measure: N/A
Sensitive data shall be protected by InStride in accordance with Exhibit A and as necessary depending on the type and sensitivity of the data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
On a continuous basis for as long as Company is engaging InStride to provide the Services.
Nature of the processing:
The nature of the Processing is as forth in the Agreement and any relevant Statements of Work.
Purpose(s) of the data transfer and further processing:
The purposes for the data transfer are to facilitate InStride’s provision of services pursuant to the Agreement and any relevant Statements of Work.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Transfers to subprocessors are for the same purposes as transfers to the processor.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
Identify the competent supervisory authority/ies in accordance with Clause 13: Ireland Data Protection Commissioner
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATADescription of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
See Schedule B immediately below.
INSTRIDE DATA SECURITY MEASURESInStride will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Information:
InStride’s Information Security Program includes specific security requirements for its personnel and all subcontractors or agents who have access to Personal Information (“Data Personnel”). InStride’s security requirements covers the following areas:
- Information Security Policies and Standards. InStride will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Information.
- Physical Security. InStride will maintain commercially reasonable security systems at all InStride sites at which an information system that uses or stores Personal Information is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
- Organizational Security. InStride will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
- Network Security. InStride maintains commercially reasonable information security policies and procedures addressing network security.
- Access Control. InStride agrees that: (1) only authorized InStride staff can grant, modify, or revoke access to an information system that Processes Personal Information; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
- Virus and Malware Controls. InStride protects Personal Information from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Information.
- Personnel. InStride has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
- Business Continuity. InStride implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. InStride also adjusts its Information Security Program in light of new laws and circumstances, including as InStride’s business and Processing change.