This DATA PROCESSING ADDENDUM (the “DPA”) is entered into by and between Partner and Elder Technologies Inc. DBA Sage. Each of the Partner and Sage are hereinafter referred to individually as a “Party” and together as the “Parties”.
WHEREAS, in connection with Sage’s provisions of services to Partner pursuant to the Statement of Work to which this DPA is attached and that Master Services Agreement executed between the Parties (collectively with the Statement of Work, “Agreement”), Sage will create or receive personal data, personal information, or personally identifiable information, which is subject to protection under the California Consumer Privacy Act at Cal. Civ. Code §§ 1798.100 to 1798.199, as amended (“CCPA”), and similar state data privacy and protection laws, inclusive of all implementing regulations and guidance (collectively with the CCPA, “Data Protection Laws”).
WHEREAS, in light of the foregoing and the requirements of Data Protection Laws, Sage and Partner agree to be bound by the following terms and conditions.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
The PARTIES HEREBY AGREE as follows:
For the purposes of this DPA, the following terms shall have the meaning given to them below:
- “Personal Data” shall mean “personal data,” “personal information,” or “personally identifiable information,” as those terms are defined under Data Protection Laws that Sage processes for or on behalf of Partner through the performance of Services pursuant to the Agreement. Personal Data shall not include Underlying Data as defined in Agreement. Notwithstanding the foregoing, Personal Data shall not include any data that constitutes Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations ("HIPAA"), to the extent such PHI is subject to a Business Associate Agreement entered into between the Parties (the "BAA").
- “Security Incident” shall mean the unauthorized, accidental, or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data.
- “controller”, “data subject”, “processing”, “processor”, and “subprocessor” shall have the meaning given to them or any substantial equivalent of these terms under Data Protection Laws.
a. Partner shall: (i) be responsible for identifying and complying with its applicable obligations under Data Protection Laws in respect of its Processing of Personal Data; (ii) ensure that any instructions it issues to Sage comply with applicable law; (iii) provide all notices to and obtain all consents from data subjects, as applicable, under Data Protection Laws that apply to Partner; and (iv) be responsible for reviewing the information made available by Sage relating to the information security and making an independent determination as to whether such measures meet Partner’s requirements and legal obligations under applicable Data Protection Laws.
b. In the context of the processing carried out to provide the Services, Partner shall act as a controller and Sage shall act as a processor. Sage shall carry out such processing of Personal Data only to provide the Services and in accordance with the Partner’s documented instructions, except where such instructions would violate applicable law. Where Sage determines that Partner’s instructions violate applicable law, Sage shall inform the Partner of that legal requirement before engaging in any such required processing, unless Sage is prohibited by law from doing so.
c. Sage shall not, unless otherwise expressly permitted or required by law: (i) “sell” (as defined under Data Protection Laws) or “share” (as defined under the CCPA) the Personal Data, (ii) retain, use, disclose, or process the Personal Data for any purpose other than providing the Services, or (iii) retain, use, disclose, or process the Personal Data outside of the direct business relationship between the Parties, including by combining the Personal Data with any information that identifies or is reasonably capable of being associated with, or could reasonably be linked with any identified or identifiable individual or household, that Sage receives from, or on behalf of, another person or persons, except to the extent such combination is required to perform the Services, authorized by Partner in writing, or expressly permitted under Data Protection Law.
d. Sage shall implement appropriate technical and organizational measures to maintain a level of security appropriate to the risk, including the risk of accidental, unlawful or unauthorized destruction, loss, alteration, disclosure of, access to, or other processing of Personal Data. Such measures shall include a written information security program, periodic risk assessments, employee privacy and security training, and business continuity and disaster recovery procedures.
e. Sage shall also, with respect to Personal Data:
i. ensure that persons authorized to process Personal Data are bound by confidentiality obligations;
ii. promptly notify the Partner, as applicable, about data subject requests and/or complaints it may receive and reasonably assist the Partner, insofar as this is possible, to respond to such requests and/or complaints;
iii. promptly inform the Partner in writing if it determines that the Partner’s instructions with respect to the processing violates any Data Protection Laws;
iv. assist the Partner with its compliance with its obligations related to the performance of data protection impact assessments and related prior consultations, to the extent each is required under Data Protection Laws;
v. enable the Partner to take reasonable and appropriate steps, to the extent reasonably requested, to: (a) ensure and document the compliance of Sage’s processing of Personal Data with obligations under Data Protection Laws and this DPA, including by making available to the Partner reasonably necessary information, and (b) stop and remediate any unauthorized processing of Personal Data; and
vi. promptly notify the Partner if Sage determines that it can no longer meet its obligations under Data Protection Laws in connection with the processing of the Personal Data.
a. Partner authorizes Sage to engage subprocessors as reasonably necessary to perform the Services and in accordance with this DPA. Partner agrees that Sage may continue to use those subprocessors, which have already been engaged by Sage as of the date of this DPA. Sage shall specifically inform the Partner in writing of any intended addition or replacement to such subprocessors at least thirty days in advance, thereby giving the Partner sufficient time to be able to object, on reasonable grounds related to data protection or compliance with Data Protection Laws, to such changes prior to the engagement of the concerned subprocessors. If Partner exercises such right to object to a new subprocessor, then Sage may, at Sage’s election: (a) recommend an alternate subprocessor; (b) recommend a change in the affected Services (including a change to Partner’s configuration, if applicable) to avoid processing of Personal Data by the objected-to subprocessor; or (c) recommend a modified use of the affected Services that avoids processing of Personal Data by the objected-to subprocessor.
b. Where Sage engages a subprocessor for carrying out specific processing activities, it shall do so by way of contract that imposes obligations that are no less protective than those imposed on Sage in accordance with this DPA.
Sage shall allow the Partner, or Partner’s appointed third party, to perform audits, including inspections, in relation to the processing of the Personal Data in accordance with this Section:
a. No more frequently than once per calendar year, unless otherwise required by regulators, supervisory authorities, or Data Protection Laws, the Partner’s representatives or its appointed auditors (collectively “Auditors”) shall have the right to take reasonable and appropriate steps to (i) ensure that Sage processes Personal Data in a manner consistent with the Partner’s obligations under this DPA and (ii) stop and remediate any unauthorized use of Personal Data. Sage will provide reasonable assistance to Auditors during their review and will make reasonably available information in its possession reasonably necessary to demonstrate Sage’s compliance with Data Protection Laws, including Sage resources and knowledge about its privacy and security policies and procedures.
b. Alternatively, Sage may arrange for a qualified and independent assessor to conduct, no more frequently than twice per calendar year (unless otherwise required by regulators, supervisory authorities, or Data Protection Laws), an assessment of Sage’s policies and technical and organizational measures in support of its obligations under this DPA, using an appropriate and accepted control standard or framework and assessment procedure. Sage shall provide a report of any such assessment to Partner upon request.
c. Unless a shorter time frame is required to comply with Data Protection Laws or regulators or supervisory authorities, Partner and Auditors must provide Sage with written notice thirty (30) business days prior to any visits, inspection, or interviews, and all such activities must be conducted at a mutually agreed scope, time, and location. Auditors will comply with Sage policies while on Sage premises or accessing Sage systems and will conduct their activities in a manner that does not unreasonably disrupt, delay, or interfere with Sage’s business.
d. The foregoing shall not require Sage to disclose legally privileged information, confidential information of third parties (including its other customers), trade secrets or other information protected by intellectual property law, or information unrelated to the Services.
e. The Parties and Auditors must enter into a non-disclosure agreement mutually acceptable to both Parties prior to any visits, inspection, interviews, or other actions the Auditors seek to undertake. Partner will provide Sage any reports generated in connection with any audit under this Section. Partner may use the reports only for the purposes of meeting Partner’s regulatory audit requirements or confirming compliance with this DPA. Any such report shall be treated as Confidential Information of the other Party under the terms of the Agreement.
a. Sage shall promptly notify Partner after becoming aware of any Security Incident, in any event within 72 hours of becoming aware of such incident. Sage shall provide, to the extent known after reasonable investigation of such incident, the following information to Partner:
- the name and contact details of a point of contact with Sage where more information can be obtained;
- a description of the nature of the Security Incident, including where possible the categories, number and jurisdictions of data subjects and the categories of affected Personal Data; and
- a description of the measures taken or proposed to be taken to address the Security Incident, including, where appropriate, measures to mitigate any adverse effects known to Sage.
b. Sage’s compliance with this Section shall not be interpreted as admitting any wrongdoing or accepting any responsibility or liability for any Security Incident. As between Partner and Sage, Partner is solely responsible for complying with incident notification laws applicable to Partner and fulfilling any third-party notification obligations related to any Security Incident as required by applicable Data Protection Laws. Sage shall not be required to notify any third parties of any Security Incident on behalf of Partner. Each Party shall cooperate and obtain written permission of the other Party prior to notifying any data subject or third party of any Security Incident in any manner that identifies or is reasonably likely to identify the other Party.
a. Following termination of the Agreement and at Partner’s request, Sage shall delete all Personal Data processed on behalf of Partner, or, at Partner’s request, return all Personal Data to Partner and delete existing copies, provided that Sage shall be permitted to retain Personal Data: (i) to the extent expressly permitted under applicable law; (ii) in accordance with Sage’s internal compliance or recordkeeping policies; (iii) in automated electronic backup systems; and (iv) as otherwise agreed to by the Parties in writing. Sage shall limit the processing of such Personal Data to such purposes and extend the protections of this DPA to such Personal Data for as long as Sage maintains such Personal Data.
a. To the extent any data processed by Sage in connection with the Services constitutes PHI subject to the BAA, the terms and conditions of the BAA shall govern the processing of such data, and this DPA shall not apply to such data. In the event of any conflict or inconsistency between this DPA and the BAA with respect to the processing of PHI, the BAA shall control.
b. Nothing in this DPA shall be construed to limit, modify, or supersede the obligations of either Party under the BAA with respect to PHI.