Prometics GDPR Data Processing Addendum

  Last updated: April 2, 2022   This Data Processing Addendum (“DPA”) supplements the Prometics Master Servicing Agreement available at prometics.com/msa, as updated from time to time between Customer and Prometics, or other agreement between Customer and Prometics governing Customer’s use of the Master Servicing Agreement (the “Agreement”) when the GDPR applies to your use of the Prometics Services to process Customer Data. This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and Prometics, Inc. Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in Section 17 of this DPA.

---

1. 1. Data Processing.
      1. Scope and Roles. This DPA applies when Customer Data is processed by Prometics. In this context, Prometics will act as processor to Customer, who can act either as controller or processor of Customer Data.
      2. Customer Controls. Customer can use the Service Controls to assist it with its obligations under the GDPR, including its obligations to respond to requests from data subjects. Taking into account the nature of the processing, Customer agrees that it is unlikely that Prometics would become aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if Prometics becomes aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform Customer without undue delay. Prometics will cooperate with Customer to erase or rectify inaccurate or outdated Customer Data transferred under the Standard Contractual Clauses by providing the Service Controls that Customer can use to erase or rectify Customer Data.
      3. Details of Data Processing.
         1. Subject matter. The subject matter of the data processing under this DPA is Customer Data.
         2. Duration. As between Prometics and Customer, the duration of the data processing under this DPA is determined by Customer.
         3. Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time.
         4. Nature of the Processing. Compute, storage and such other Services as described in the Documentation and initiated by Customer from time to time.
         5. Type of Customer. Customer Data uploaded to the Services under Customer’s Prometics accounts.
         6. Categories of data subjects. The data subjects could include Customer’s customers, employees, suppliers and End Users.
      4. Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the GDPR.
   2. Customer Instructions. The parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding Prometics’s processing of Customer Data (“Documented Instructions“). Prometics will process Customer Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Prometics and Customer, including agreement on any additional fees payable by Customer to Prometics for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if Prometics declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA. Taking into account the nature of the processing, Customer agrees that it is unlikely Prometics can form an opinion on whether Documented Instructions infringe the GDPR. If Prometics forms such an opinion, it will immediately inform Customer, in which case, Customer is entitled to withdraw or modify its Documented Instructions.
   3. Confidentiality of Customer Data. Prometics will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Prometics a demand for Customer Data, Prometics will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Prometics may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Prometics will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Prometics is legally prohibited from doing so.
   4. Confidentiality Obligations of Prometics Personnel. Prometics restricts its personnel from processing Customer Data without authorization by Prometics as described in the Prometics Security Requirements. Prometics imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
   5. Security of Data Processing.
      1. Prometics has implemented and will maintain the technical and organizational measures for the Prometics Network as described in the Prometics Security Requirements (Master Servicing Agreement, Exhibit A) and this Section. In particular, Prometics has implemented and will maintain the following technical and organizational measures:
         1. security of the Prometics Network as set out in Section 3 of the Prometics Security Requirements;
         2. physical security of the facilities as set out in Section 7 of the Prometics Security Requirements;
         3. measures to control access rights for Prometics employees and contractors to the Prometics Network as set out in Section 3 of the Prometics Security Requirements; and
         4. processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Prometics as described in Section 2 of the Prometics Security Requirements.
      2. Customer can elect to implement technical and organizational measures to protect Customer Such technical and organizational measures include the following which can be obtained by Customer from Prometics as described in the Documentation, or directly from a third party supplier:
         1. pseudonymization and encryption to ensure an appropriate level of security;
         2. measures to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services that are operated by Customer; measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and
         3. processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Customer.
   6. Sub-processing.
      1. Authorized Sub-processors. Customer provides general authorization to Prometics’s use of sub-processors to provide processing activities on Customer Data on behalf of Customer (“Sub-processors“) in accordance with this Section.

List of current Sub-processors:

Amazon Web Services

Purpose: Cloud hosting and infrastructure provider

Transfer Mechanism: SCCs

Sub-processor Resources: AWS Sub-processors

At least 30 days before Prometics engages a Sub-processor, Prometics will update the applicable website and provide Customer with a mechanism to obtain notice of that update. To object to a Sub-processor, Customer can: (i) terminate the Agreement pursuant to its terms; (ii) cease using the Service for which Prometics has engaged the Sub-processor; or (iii) move the relevant Customer Data to another Prometics Region where Prometics has not engaged the Sub-processor.

1. Sub-processor Obligations. Where Prometics authorizes a Sub-processor as described in Section 6.1:
   1. Prometics will restrict the Sub-processor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Prometics will prohibit the Sub-processor from accessing Customer Data for any other purpose;
   2. Prometics will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by Prometics under this DPA, Prometics will impose on the Sub-processor the same contractual obligations that Prometics has under this DPA; and
   3. Prometics will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Prometics to breach any of Prometics’s obligations under this DPA.

• Prometics Assistance with Data Subject Requests. Prometics shall promptly notify Customer if Prometics receives a request from a Data Subject that identifies Customer Personal Data (Customer Data that is Personal Data) or otherwise identifies Customer, including where the Data Subject seeks to exercise any of its rights under applicable Data Protection Laws (collectively, “Data Subject Request”). The Service provides Customer with a number of controls that Customer may use to assist it in responding to Data Subject Requests and Customer will be responsible for responding to any such Data Subject Requests. To the extent Customer is unable to access the relevant Customer Personal Data within the Service using such controls or otherwise, Prometics shall (upon Customer’s written request and taking into account the nature of the Processing) provide commercially reasonable cooperation to assist Customer in responding to Data Subject Requests.
• Optional Security Features. Prometics makes available many Service Controls that Customer can elect to use. Customer is responsible for (a) implementing the measures described in Section 5.2, as appropriate, (b) properly configuring the Services, (c) taking such steps as Customer considers adequate to maintain appropriate security, protection, and deletion of Customer Data, which includes use of encryption technology to protect Customer Data from unauthorized access and measures to control access rights to Customer Data.
• Security Incident Notification.

• 1. Security Incident. Prometics will (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
  2. Prometics Assistance. To enable Customer to notify a Security Incident to supervisory authorities or data subjects (as applicable), Prometics will cooperate with and assist Customer by including in the notification under Section 9.1(a) such information about the Security Incident as Prometics is able to disclose to Customer, taking into account the nature of the processing, the information available to Prometics, and any restrictions on disclosing the information, such as confidentiality. Taking into account the nature of the processing, Customer agrees that it is best able to determine the likely consequences of a Security
  3. Unsuccessful Security incidents. Customer agrees that:
     1. an unsuccessful Security Incident will not be subject to this Section 9. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Prometics’s equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
     2. Prometics’s obligation to report or respond to a Security Incident under this Section 9 is not and will not be construed as an acknowledgement by Prometics of any fault or liability of Prometics with respect to the Security Incident.
  4. Communication. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Prometics selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on the Prometics software and secure transmission at all times.
• Prometics Certifications and Audits.
  1. Prometics SOC Reports. In addition to the information contained in this DPA, upon Customer’s request, and provided that the parties have an applicable NDA in place, Prometics will make available the following documents and information:
     1. the System and Organization Controls (SOC) 1 Report.
  2. Prometics Audits. Prometics uses external auditors to verify the adequacy of its security measures, including the security of the physical data centers from which Prometics provides the Services. This audit: (a) will be performed at least annually; (b) will be performed according to SOC standards or such other alternative standards that are substantially equivalent to SOC; (c) will be performed by independent third party security professionals at Prometics’s selection and expense; and (d) will result in the generation of an audit report (“Report“), which will be Prometics’s Confidential Information.
  3. Audit Reports. At Customer’s written request, and provided that the parties have an applicable NDA in place, Prometics will provide Customer with a copy of the Report so that Customer can reasonably verify Prometics’s compliance with its obligations under this DPA.
  4. Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to Prometics, Prometics will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation, by providing the information Prometics makes available under this Section 10.
• Customer Audits. Customer chooses to conduct any audit, including any inspection, it has the right to request or mandate on its own behalf, and on behalf of its controllers when Customer is acting as a processor, under the GDPR or the Standard Contractual Clauses, by instructing Prometics to carry out the audit described in Section 10. If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending Prometics written notice as provided for in the Agreement. If Prometics declines to follow any instruction requested by Customer regarding audits, including inspections, Customer is entitled to terminate the Agreement in accordance with its terms.
• Transfers of Personal Data.
  1. Regions. Customer can specify the location(s) where Customer Data will be processed within the Prometics Network (each a “Region“), including Regions in the EEA. Once Customer has made its choice, Prometics will not transfer Customer Data from Customer’s selected Region(s) except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or binding order of a governmental body.
  2. For any transfers by Customer of Customer Personal Data from the European Economic Area and its member states, United Kingdom and/or Switzerland (collectively, “Restricted Countries”) to Prometics in a country which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the applicable Data Protection Laws of the Restricted Countries) (collectively, “Third Country”), such transfers shall be governed by a valid mechanism for the lawful transfer of Customer Personal Data recognized under applicable Data Protection Laws, such as those directly below in 7.2.1. For clarity, for transfers from the United Kingdom and Switzerland, references in the SCCs shall be interpreted to include applicable terminology for those jurisdictions (e.g., “Member State” shall be interpreted to mean “United Kingdom” for transfers from the United Kingdom).
• Termination of the DPA. This DPA will continue in force until the termination of the Agreement (the “Termination Date“).
• Return or Deletion of Customer Data. At any time up to the Termination Date, and for 90 days following the Termination Date, subject to the terms and conditions of the Agreement, Prometics will return or delete Customer Data when Customer requests such return or deletion. No later than the end of this 90-day period, Customer will close all Prometics accounts containing Customer Data.
• Duties to Inform. Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Prometics, Prometics will inform Customer without undue delay. Prometics will, without undue delay, notify all relevant parties in such action (for example, creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is Customer’s property and area of responsibility and that Customer Data is at Customer’s sole disposition.
• Entire Agreement; Conflict. This DPA incorporates the Standard Contractual Clauses by Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control, except that the Service Terms will control over this DPA. Nothing in this document varies or modifies the Standard Contractual Clauses.
• Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:

“Prometics Network” means Prometics’s data center facilities, servers, networking equipment, and host software systems (for example, virtual firewalls) that are within Prometics’s control and are used to provide the Services.

“Prometics Security Requirements” means the security standards in the Agreement as Exhibit A.

“controller” has the meaning given to it in the GDPR.

“Customer Data” means the “personal data” (as defined in the GDPR) that is uploaded to the Services under Customer’s Prometics accounts.

“EEA” means the European Economic Area.

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed”

will be interpreted accordingly.

“processor” has the meaning given to it in the GDPR.

“Security Incident” means a breach of Prometics’s security leading to the accidental or unlawful

destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.

“Service Controls” means the controls, including security features and functionalities, that the Services provide, as described in the Documentation.

“SCCs” means together (i) “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and (ii) “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK Addendum”).

“Third Country” means a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR)